Submeter #857926: Gerapy 0.9.13 / master branch at commit 7c4eda875563f5d0342a3650959e0502bc279d77 CWE-862 Missing Authorization / CWE-434 Unrestricted Upload of Finformação

TítuloGerapy 0.9.13 / master branch at commit 7c4eda875563f5d0342a3650959e0502bc279d77 CWE-862 Missing Authorization / CWE-434 Unrestricted Upload of F
DescriçãoGerapy 0.9.13 exposes the project upload endpoint `POST /api/project/upload` without authentication. The route is mapped in `gerapy/server/core/urls.py` and the corresponding `project_upload` view in `gerapy/server/core/views.py` has `@permission_classes([IsAuthenticated])` commented out, while the surrounding project and client management APIs explicitly require authentication. The same view accepts `request.FILES['file']`, saves it to `PROJECTS_FOLDER`, opens it as a ZIP archive, and extracts all entries into `PROJECTS_FOLDER`. An unauthenticated remote attacker can therefore upload a crafted ZIP archive to place a new Scrapy project or overwrite files in an existing project directory. This can result in persistent project tampering and a practical path to code execution when an administrator later builds, deploys, parses, schedules, or runs the attacker-controlled project through Gerapy/Scrapyd workflows. Remediation should restore authentication on the upload endpoint, validate the uploaded archive type and entry names, extract only into a newly created validated project directory, and prevent unintended overwrites.
Fonte⚠️ https://github.com/Gerapy/Gerapy/issues/317
Utilizador
 Galaxyn (UID 98388)
Submissão13/06/2026 12h57 (há 1 mês)
Moderação18/07/2026 10h29 (1 month later)
EstadoAceite
Entrada VulDB380025 [Gerapy até 0.9.13 Project Upload Endpoint views.py Autenticação fraca]
Pontos20

Do you want to use VulDB in your project?

Use the official API to access entries easily!