CVE-2021-43494

Vulnerability

A directory traversal vulnerability exists in the static_outputs_view route of OpenCV-REST-API master branch as of commit 69be158c05d4dd5a4aff38fdc680a162dd6b9e49 [1]. The route uses send_from_directory() with attacker-controlled path and filename parameters derived from the user-supplied <path:path> variable. The code does not sanitise or validate the path for directory traversal sequences, enabling an attacker to access arbitrary files outside the intended directory.

Exploitation

An attacker can exploit this by sending a crafted HTTP request to the /static/outputs/ endpoint with path traversal sequences (e.g., ../) in the URI. For example, requesting /static/outputs/../../../../etc/passwd will return the contents of the /etc/passwd file [1]. No authentication is required, and the attacker only needs network access to the server.

Impact

Successful exploitation leads to disclosure of critical secrets stored anywhere on the filesystem, including application source code, configuration files, and system files. This can significantly aid further attacks, potentially leading to remote code execution [1]. The disclosure is limited by system access controls, such as locked files on Windows.

Mitigation

As of the available references, no official fix has been released for this vulnerability [1]. The issue was reported and acknowledged in the project's issue tracker. Users should apply input validation and sanitisation to the path parameter, or avoid using send_from_directory with user-controlled input until a patched version is available.