CVE-2023-50449

Vulnerability

Overview

CVE-2023-50449 is a directory traversal vulnerability in JFinalCMS version 5.0.0, a content management system built on the JFinal Java web framework [1]. The flaw resides in the /common/down/file endpoint, where the fileKey parameter is not properly sanitized before being used in file system operations [2]. An attacker can inject ../ sequences into this parameter to navigate outside the intended directory and read arbitrary files from the server's filesystem [3].

Attack

Vector and Prerequisites

The vulnerability is exploitable without authentication, as the affected endpoint is publicly accessible [3]. No special privileges or session tokens are required. The attack is performed by crafting a malicious HTTP request to the /common/down/file URL with a fileKey value containing path traversal payloads, such as ../../../etc/passwd [2][3]. The server then processes this input and returns the contents of the requested file, as demonstrated in the issue report [3].

Impact

Successful exploitation allows a remote, unauthenticated attacker to read sensitive files on the server, including configuration files containing database credentials, source code, or other confidential data [2][3]. This can lead to full compromise of the application and potentially the underlying server, depending on the information disclosed.

Mitigation

As of the publication date, no patch has been released for JFinalCMS 5.0.0, and the project appears to be unmaintained [1][3]. Users are advised to restrict network access to the vulnerable endpoint or migrate to an alternative solution. The vulnerability has been publicly documented and could be targeted by attackers.