CVE-2023-36822: Uptime Kuma's authenticated path traversal via plugin repository name may lead to unavailability or data loss
A path traversal vulnerability via the plugin repository name allows an authenticated attacker to delete files on the server leading to unavailability and potentially data loss.
References
- github.com/advisories/GHSA-vr8x-74pm-6vj7
- github.com/louislam/uptime-kuma
- github.com/louislam/uptime-kuma/blob/de74efb2e6601dcbcfed32cddefc4078a80fcb0b/server/plugins-manager.js
- github.com/louislam/uptime-kuma/commit/a0736e04b2838aae198c2110db244eab6f87757b
- github.com/louislam/uptime-kuma/pull/3346
- github.com/louislam/uptime-kuma/releases/tag/1.22.1
- github.com/louislam/uptime-kuma/security/advisories/GHSA-vr8x-74pm-6vj7
- nvd.nist.gov/vuln/detail/CVE-2023-36822
Detect and mitigate CVE-2023-36822 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →