rt.rap: Eclipse RAP FileUpload component RCE

The Eclipse Foundation is a Common Vulnerabilities and Exposures (CVE) Numbering Authority. This issue it used to request and track the progress of the assignment of a CVE for a vulnerability in the project code for an Eclipse open source project.

Basic information

Project name: Eclipse RAP

Project id: rt.rap

Request type: publication

Versions affected: [3.0.0, 3.25.0]

Long version: The code in question, in particular the implementation of FileUploadProcessor.stripFileName(String name) was already part of the initial implementation that started in the RAP Incubator project, and has been converted to a Git repository in 2013. It became part of the main Eclipse RAP project after moving the FileUpload component in 2015 with commit 574a2f1 to Eclipse RAP 3.0.0, and has been sitting there unmodified up to and including Eclipse RAP 3.25.0.

Common Weakness Enumeration:

• CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
• CWE-23: Relative Path Traversal

Common Attack Pattern Enumeration and Classification:

• CAPEC-154: https://capec.mitre.org/data/definitions/154.html

Common Vulnerability Scoring System: {cvss}

• CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L with a score of 7.6

Summary:

In Eclipse RAP versions from 3.0.0 up to and including 3.25.0, Remote Code Execution is possible on Windows when using the FileUpload component.
The reason for this is a not completely secure extraction of the file name in the FileUploadProcessor.stripFileName(String name) method. As soon as this finds a / in the path, everything before it is removed, but potentially \ (backslashes) coming further back are kept.
For example, a file name such as /..\..\webapps\shell.war can be used to upload a file to a Tomcat server under Windows, which is then saved as ..\..\webapps\shell.war in its webapps directory and can then be executed.

Links:

• Initial Security Report: rt.rap: RCE on RAP File Upload
• #141 Fix handling of file names on Windows

Tracking

This section will completed by the project team.

• Reserve an entry only
• We're ready for this issue to be reported to the central authority (i.e., make this public now)
• NA (when applicable) The GitHub Security Advisory is ready to be published now

Note that for those projects that host their repositories on GitHub, the use of GitHub Security Advisories is recommended but is not required.

This section will be completed by the EMO.

CVE: {cve}

• All required information is provided
• CVE Assigned
• Pushed to Mitre
• Accepted by Mitre

mentioned in issue vulnerability-reports#160 (closed)

CVE-2023-4760 has been reserved for this vulnerability

made the issue visible to everyone

assigned to @ifurnadjiev

made the issue confidential

changed the description

changed the description

marked the checklist item We're ready for this issue to be reported to the central authority (i.e., make this public now) as completed

@mbarbero Ready to be published from our side.

@mknauer I'm on it

assigned to @mrybczyn

made the issue visible to everyone

The CVE entry has been published @mknauer . I'm removing the confidential flag

closed

marked the checklist item All required information is provided as completed

marked the checklist item CVE Assigned as completed

marked the checklist item Pushed to Mitre as completed

marked the checklist item Accepted by Mitre as completed

changed the description