Source: kanboard X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for kanboard. CVE-2024-51747[0]: | Kanboard is project management software that focuses on the Kanban | methodology. An authenticated Kanboard admin can read and delete | arbitrary files from the server. File attachments, that are viewable | or downloadable in Kanboard are resolved through its `path` entry in | the `project_has_files` SQLite db. Thus, an attacker who can upload | a modified sqlite.db through the dedicated feature, can set | arbitrary file links, by abusing path traversals. Once the modified | db is uploaded and the project page is accessed, a file download can | be triggered and all files, readable in the context of the Kanboard | application permissions, can be downloaded. This issue has been | addressed in version 1.2.42 and all users are advised to upgrade. | There are no known workarounds for this vulnerability. https://github.com/kanboard/kanboard/security/advisories/GHSA-78pf-vg56-5p8v CVE-2024-51748[1]: | Kanboard is project management software that focuses on the Kanban | methodology. An authenticated Kanboard admin can run arbitrary php | code on the server in combination with a file write possibility. The | user interface language is determined and loaded by the setting | `application_language` in the `settings` table. Thus, an attacker | who can upload a modified sqlite.db through the dedicated feature, | has control over the filepath, which is loaded. Exploiting this | vulnerability has one constraint: the attacker must be able to place | a file (called translations.php) on the system. However, this is not | impossible, think of anonymous FTP server or another application | that allows uploading files. Once the attacker has placed its file | with the actual php code as the payload, the attacker can craft a | sqlite db settings, which uses path traversal to point to the | directory, where the `translations.php` file is stored. Then gaining | code execution after importing the crafted sqlite.db. This issue has | been addressed in version 1.2.42 and all users are advised to | upgrade. There are no known workarounds for this vulnerability. https://github.com/kanboard/kanboard/security/advisories/GHSA-jvff-x577-j95p If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-51747 https://www.cve.org/CVERecord?id=CVE-2024-51747 [1] https://security-tracker.debian.org/tracker/CVE-2024-51748 https://www.cve.org/CVERecord?id=CVE-2024-51748 Please adjust the affected versions in the BTS as needed.
