CVE-2024-56331: uptime-kuma vulnerable to Local File Inclusion (LFI) via Improper URL Handling in `Real-Browser` monitor
An Improper URL Handling Vulnerability allows an attacker to access sensitive local files on the server by exploiting the file:/// protocol. This vulnerability is triggered via the “real-browser” request type, which takes a screenshot of the URL provided by the attacker. By supplying local file paths, such as file:///etc/passwd, an attacker can read sensitive data from the server.
References
- github.com/advisories/GHSA-2qgm-m29m-cj2h
- github.com/louislam/uptime-kuma
- github.com/louislam/uptime-kuma/commit/6cfae01a0d3727c517afe512fc8fec1d99acf875
- github.com/louislam/uptime-kuma/releases/tag/1.23.16
- github.com/louislam/uptime-kuma/security/advisories/GHSA-2qgm-m29m-cj2h
- nvd.nist.gov/vuln/detail/CVE-2024-56331
Detect and mitigate CVE-2024-56331 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →