9.1 CRITICAL
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): High (H)
- Integrity (I): High (H)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): High (H)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): None (N)
by @LeSuisse Activity log
- Created suggestion
-
@LeSuisse
ignored
4 packages
- python314Packages.filebrowser-safe
- python313Packages.filebrowser-safe
- python312Packages.filebrowser-safe
- filebrowser-quantum
- @LeSuisse dismissed
File Browser: Authentication Bypass via Proxy Auth Header Forgery
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Starting with 2.0.0-rc.1, when FileBrowser is configured with proxy authentication (auth.method=proxy), any unauthenticated attacker who can reach the server directly can impersonate any user - including admin - by sending a single forged HTTP header. No credentials are required. Additionally, specifying a non-existent username causes the server to automatically create a new user account, providing an account creation primitive with no authorization. This is an already known issue that has been documented in the documentation for several years, but has not been documented as a vulnerability before.
References
-
https://github.com/filebrowser/filebrowser/security/advisories/GHSA-xqp3-jq6g-x3qm x_refsource_CONFIRMexploit
-
https://github.com/filebrowser/filebrowser/blob/main/auth/proxy.go x_refsource_MISC
Affected products
- ==>= 2.0.0-rc.1
Matching in nixpkgs
Ignored packages (4)
pkgs.filebrowser-quantum
Access and manage your files from the web
-
nixos-unstable 1.2.2-stable
- nixpkgs-unstable 1.2.2-stable
- nixos-unstable-small 1.2.2-stable
-
nixos-26.05 1.2.2-stable
- nixos-26.05-small 1.2.2-stable
- nixpkgs-26.05-darwin 1.2.2-stable
pkgs.python312Packages.filebrowser-safe
None
pkgs.python313Packages.filebrowser-safe
Snapshot of django-filebrowser for the Mezzanine CMS
Package maintainers
-
@HritwikSinghal Hritwik Singhal <nix@thorin.theoakenshield.com>