CVE-2023-46307

Vulnerability

The etcd-browser application, at commit 87ae63d75260, contains a directory traversal vulnerability in its server.js file. By sending a GET request with a ../../../ path sequence appended to the URL, an attacker can escape the intended web root and read arbitrary files from the host filesystem. The vulnerability is reachable when the built-in server is running (default on port 8000) and accepts GET requests. Affected versions include any deployment using the buddho/etcd-browser Docker image built from the vulnerable commit [1].

Exploitation

An attacker only needs network access to the port where the etcd-browser server is listening (default 8000). No authentication is required; the server processes the malicious path without validation. A simple HTTP GET request to http://:8000/../../../etc/passwd (or any other file path) will return the contents of the requested file. The attacker must know or guess the target file path. The request is made over HTTP to the server's exposed port [1].

Impact

Successful exploitation allows an unauthenticated remote attacker to read arbitrary files from the host operating system. This includes sensitive configuration files, credentials, SSH keys, and application source code. The vulnerability leads to information disclosure that could assist further attacks or compromise the entire host's security posture.

Mitigation

As of the publication date (2023-12-07), no official patch or updated version has been released for etcd-browser. The project appears unmaintained; the referenced Docker image buddho/etcd-browser is a community build and may not receive fixes [1]. Workarounds include restricting network access to the server (e.g., using a firewall or reverse proxy with path validation) or disabling direct exposure of the service until a fix is available.