CVE-2021-47921

Vulnerability

Overview

Free Photo & Video Vault v0.0.2, an iOS application for password-protected photo and video storage, contains a directory traversal web vulnerability. The application fails to properly validate and sanitize user-supplied path inputs during web requests, enabling path traversal attacks. This vulnerability is classified as CWE-22 (Path Traversal) [1][3].

Exploitation

Details

An attacker can exploit this vulnerability remotely by manipulating application path requests. No authentication or user interaction is required, as the vulnerability can be exploited with guest privileges. The attacker does not need to be on the same network; the attack vector is over the web interface [1][3].

Impact

Assessment

Successful exploitation allows a remote attacker to read sensitive system files, including environment variables. This information disclosure can aid in further attacks, such as privilege escalation or lateral movement, by exposing configuration details or secrets [1][3].

Mitigation

The vulnerability was publicly disclosed in June 2021. The affected version is 0.0.2, and no patch has been provided by the developer as of the disclosure date. Users are advised to restrict access to the application's web interface and monitor for potential exploitation [1].