CVE-2023-43662
📋 TL;DR
CVE-2023-43662 is an unauthenticated arbitrary file read vulnerability in ShokoServer's /api/Image/WithPath endpoint. Attackers can read any file on the server by manipulating the serverImagePath parameter, potentially exposing sensitive information. All ShokoServer installations with the vulnerable endpoint exposed are affected.
💻 Affected Systems
- ShokoServer
📦 What is this software?
Shokoserver by Shokoanime
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise via reading sensitive files like configuration files, credentials, SSH keys, or database files, especially dangerous on Windows installations running as administrator.
Likely Case
Unauthenticated attackers reading sensitive server files, potentially exposing user data, configuration secrets, or system files.
If Mitigated
Limited impact with proper network segmentation and access controls preventing external access to the vulnerable endpoint.
🎯 Exploit Status
Exploitation requires only HTTP requests to the vulnerable endpoint with path traversal payloads.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions including commit 6c57ba0f0
Vendor Advisory: https://github.com/ShokoAnime/ShokoServer/security/advisories/GHSA-mwcv-ghjq-8f2g
Restart Required: Yes
Instructions:
1. Update to the latest ShokoServer version containing commit 6c57ba0f0. 2. Restart the ShokoServer service. 3. Verify the /api/Image/WithPath endpoint is no longer accessible.
🔧 Temporary Workarounds
Block vulnerable endpoint
allUse web server or firewall rules to block access to /api/Image/WithPath endpoint
# For nginx: location ~ ^/api/Image/WithPath { deny all; }
# For Apache: <Location "/api/Image/WithPath"> Require all denied </Location>
Enable authentication
allConfigure ShokoServer to require authentication for all API endpoints
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the ShokoServer API
- Monitor for suspicious file access patterns and path traversal attempts in server logs
🔍 How to Verify
Check if Vulnerable:
Send HTTP GET request to /api/Image/WithPath?serverImagePath=../../../../etc/passwd (Linux) or similar path traversal payload and check if file contents are returned.Check Version:
Check ShokoServer web interface or logs for version information, or verify commit hash includes 6c57ba0f0Verify Fix Applied:
Attempt the same path traversal request after patching - should receive 404 or authentication error instead of file contents.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /api/Image/WithPath with path traversal patterns (../, ..\, absolute paths)
- File access errors for sensitive system files
Network Indicators:
- Unusual file read patterns from unauthenticated sources
- Multiple sequential requests with different path parameters
SIEM Query:
source="shokoserver" AND uri_path="/api/Image/WithPath" AND (query="*../*" OR query="*..\\*")🔗 References
- https://github.com/ShokoAnime/ShokoServer/commit/6c57ba0f073d6be5a4f508c46c2ce36727cbce80
- https://github.com/ShokoAnime/ShokoServer/security/advisories/GHSA-mwcv-ghjq-8f2g
- https://github.com/ShokoAnime/ShokoServer/commit/6c57ba0f073d6be5a4f508c46c2ce36727cbce80
- https://github.com/ShokoAnime/ShokoServer/security/advisories/GHSA-mwcv-ghjq-8f2g
