提出 #687603: Dreampie Resty Framework - HttpClient Module 1.3.1.SNAPSHOT Path Traversal / Directory Traversal (CWE-22)情報

タイトル	Dreampie Resty Framework - HttpClient Module 1.3.1.SNAPSHOT Path Traversal / Directory Traversal (CWE-22)
説明	A path traversal vulnerability exists in Resty Framework's HttpClient module (all versions including and prior to 1.3.1.SNAPSHOT). When the HttpClient downloads files to a directory (as opposed to a specific file path), it automatically extracts the filename from the HTTP response's Content-Disposition header without performing any path sanitization. An attacker controlling the HTTP response can inject path traversal sequences (e.g., ../) in the filename to write files to arbitrary locations on the filesystem. This vulnerability can be exploited through multiple attack vectors including Man-in-the-Middle attacks on HTTP connections, malicious third-party API servers, compromised CDN/update servers, or lateral movement in microservice architectures. Successful exploitation can lead to remote code execution (via webshell deployment or malicious script injection), privilege escalation (via SSH key injection or systemd service installation), data exfiltration (via configuration file replacement), or denial of service (via critical file corruption). The vulnerability is located in /resty-httpclient/src/main/java/cn/dreampie/client/HttpClient.java at lines 157-178, where the filename is extracted via contentDisposition.substring(fileNameIndex + 9) and directly used in new File(fileOrDirectory, fileName) without validation. Notably, the framework's file upload handler (MultipartParser) correctly implements path traversal protection by stripping directory separators, indicating this is a security regression rather than intentional design.
ソース	⚠️ https://github.com/Xzzz111/exps/blob/main/archives/Resty-PathTraversal-01/cve_application.md
ユーザー	sh7err (UID 91441)
送信	2025年11月02日 16:45 (6 月 ago)
モデレーション	2025年11月19日 17:59 (17 days later)
ステータス	承諾済み
VulDBエントリ	332979 [Dreampie Resty 迄 1.3.1.SNAPSHOT HttpClient HttpClient.java request filename ディレクトリトラバーサル]
ポイント	20

◂ 前概要次 ▸

Might our Artificial Intelligence support you?

Check our Alexa App!