CVE-2023-46863
📋 TL;DR
This vulnerability allows remote attackers to read arbitrary files on Peppermint Ticket Management servers through directory traversal in file download requests. Attackers can access sensitive system files, configuration files, and user data. All instances running Peppermint Ticket Management before version 0.2.4 are affected.
💻 Affected Systems
- Peppermint Ticket Management
📦 What is this software?
Peppermint by Peppermint
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through reading sensitive files like SSH keys, database credentials, or configuration files containing secrets, potentially leading to lateral movement and data exfiltration.
Likely Case
Unauthorized access to sensitive application files, user data, and system configuration information, potentially enabling further attacks or data theft.
If Mitigated
Limited impact with proper file permissions and network segmentation, though sensitive application data may still be exposed.
🎯 Exploit Status
The exploit requires only a simple HTTP POST request with directory traversal in the filepath parameter. No authentication is required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.2.4
Vendor Advisory: https://github.com/Peppermint-Lab/peppermint/issues/108
Restart Required: Yes
Instructions:
1. Backup your current installation and database. 2. Download version 0.2.4 or later from the official repository. 3. Replace the existing installation with the patched version. 4. Restart the Peppermint service.
🔧 Temporary Workarounds
Web Application Firewall Rule
allBlock requests containing directory traversal sequences in the filepath parameter
Network Access Control
allRestrict access to the /api/v1/users/file/download endpoint
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Peppermint servers from sensitive systems
- Deploy a web application firewall with rules to detect and block directory traversal attempts
🔍 How to Verify
Check if Vulnerable:
Test by sending a POST request to /api/v1/users/file/download?filepath=./../etc/passwd (or similar traversal) and checking if sensitive files are returnedCheck Version:
Check the Peppermint version in the application interface or configuration filesVerify Fix Applied:
After patching, attempt the same directory traversal request and verify it returns an error or is blocked📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /api/v1/users/file/download with ../ sequences in parameters
- Unusual file access patterns from the application
Network Indicators:
- HTTP requests with directory traversal sequences in URL parameters
- Multiple failed file access attempts from single sources
SIEM Query:
source="peppermint.log" AND (url="/api/v1/users/file/download" AND (param="../" OR param="..\\"))