CVE-2024-51376

Root

Cause

The vulnerability resides in the downloadFile() function within the com.yeqifu.sys.utls.AppFileUtils class. This function fails to sanitize the path parameter passed to the /file/downloadFile.action endpoint and does not enforce any authentication or session validation—it does not check the user's cookie [1][2].

Attack

Vector

A remote, unauthenticated attacker can exploit this flaw by sending a crafted HTTP GET request to the vulnerable endpoint. The path parameter accepts relative path traversal sequences (e.g., ../), enabling the attacker to navigate outside the intended web root directory. The provided proof-of-concept demonstrates downloading arbitrary files like .bash_history by simply adjusting the path [1][2].

Impact

Successful exploitation allows an attacker to read any file on the server filesystem that the web application process can access. This can lead to the disclosure of sensitive information such as configuration files, credentials, source code, or system files, compromising the confidentiality of the application and its underlying infrastructure [1][2].

Mitigation

No official patch or updated version has been released as of the publication date. Users of yeqifu carRental v1.0 are advised to apply input validation and authentication checks to the vulnerable endpoint or restrict access via a web application firewall (WAF) until a fix is made available.