CVE-2026-55474
NixOS 脆弱性の分析と軽減

概要

CVE-2026-55474 is a relative path traversal vulnerability in Snipe-IT, an open-source IT asset and license management system. The flaw exists in ActionlogController::displaySig, where the route filename parameter is concatenated directly into a private upload-directory path without sanitization, enabling an authenticated attacker to read arbitrary files accessible to the web server process. All versions prior to 8.5.0 are affected. The vulnerability was disclosed on July 10, 2026, and carries a CVSS v3.1 base score of 6.5 (Medium) and a CVSS v4.0 base score of 7.1 (High) (GitHub Advisory, Feedly).

技術的な詳細

The root cause is CWE-23 (Relative Path Traversal): the displaySig method in ActionlogController accepts a user-controlled filename route parameter and concatenates it directly into a filesystem path pointing to a private upload directory, with no input sanitization or path canonicalization applied. An attacker can supply path traversal sequences (e.g., ../../etc/passwd) in the filename parameter to escape the intended directory and access arbitrary files readable by the web server process. Exploitation requires only a valid authenticated session with low privileges — no special roles or permissions are needed. The fix, merged in PR #18927, applies PHP's basename() function to strip directory components from the filename before use, and adds similar protections across several other file-serving controllers (getStoredEula, StorageProxyController, backup download/delete/restore endpoints) (GitHub Advisory, GitHub PR, GitHub Commit).

影響

Successful exploitation allows an authenticated attacker with low privileges to read arbitrary files accessible to the web server process, resulting in high confidentiality impact with no integrity or availability impact. Sensitive files at risk include application configuration files (e.g., .env containing database credentials, API keys, and secrets), system files, and other data within the web server's read permissions. This could facilitate further attacks such as credential theft, lateral movement, or full application compromise if secrets are exposed (GitHub Advisory, Feedly).

エクスプロイテーションのステップ

  1. Authenticate: Obtain valid credentials for any low-privileged user account on the target Snipe-IT instance (version < 8.5.0).
  2. Identify the vulnerable endpoint: Locate the displaySig route, typically accessible at a URL such as /account/sig/{filename} or the equivalent route mapped to ActionlogController::displaySig.
  3. Craft a path traversal payload: Construct a filename parameter containing relative path traversal sequences, e.g., ../../../../../../etc/passwd or ../../.env, to escape the intended upload directory.
  4. Send the request: Issue an authenticated HTTP GET request to the vulnerable endpoint with the crafted filename, e.g., GET /account/sig/../../.env.
  5. Retrieve file contents: If successful, the server returns the contents of the targeted file (e.g., the .env file containing database credentials, APP_KEY, and other secrets) as the response body, which the attacker can then use for further exploitation (GitHub Advisory, GitHub Commit).

妥協の兆候

  • Network: Authenticated HTTP GET requests to the displaySig or getStoredEula endpoints containing URL-encoded path traversal sequences (e.g., %2F..%2F, ..%2F, ../) in the filename parameter; unusual responses returning non-image file content (e.g., plaintext configuration data) from signature-serving endpoints.
  • Logs: Web server access logs showing requests to signature or EULA file endpoints with filenames containing .., /, or %2F sequences; HTTP 200 responses with unexpectedly large or non-image content types from these endpoints.
  • File System: No direct file system artifacts are expected from read-only exploitation; however, evidence of subsequent actions (e.g., new user accounts, changed configurations) may indicate secrets obtained via this vulnerability were leveraged.

軽減策と回避策

Upgrade Snipe-IT to version 8.5.0 or later, which applies basename() to the filename parameter in ActionlogController::displaySig and several other file-serving endpoints, preventing directory traversal (GitHub Release, GitHub PR). As a temporary workaround if immediate upgrade is not feasible, restrict web server process permissions to the minimum required directories and apply the principle of least privilege to the service account. Additionally, implement network-level controls (e.g., WAF rules) to block requests containing path traversal sequences (../, %2F..) targeting Snipe-IT file-serving endpoints (GitHub Advisory).

コミュニティの反応

The vulnerability was reported by securin-public (Securin) and disclosed via GitHub Security Advisories on June 24, 2026, with the CVE published on July 10, 2026 (GitHub Advisory). The Snipe-IT maintainer (@snipe) merged the fix promptly in April 2026 and highlighted the security fixes in the v8.5.0 release notes, strongly encouraging all users to update (GitHub Release). No significant broader media coverage or notable community controversy has been observed.

関連情報


ソースこのレポートは AI を使用して生成されました

関連 NixOS 脆弱 性:

CVE 識別子

重大度

スコア

テクノロジー

コンポーネント名

CISA KEV エクスプロイト

修正あり

公開日

CVE-2026-55516HIGH7.7
  • NixOS logoNixOS
  • snipe-it
いいえはいJul 10, 2026
CVE-2026-55474HIGH7.1
  • NixOS logoNixOS
  • snipe-it
いいえはいJul 10, 2026
CVE-2026-55843HIGH7
  • NixOS logoNixOS
  • snipe-it
いいえはいJul 10, 2026
CVE-2026-55478MEDIUM5.3
  • NixOS logoNixOS
  • snipe-it
いいえはいJul 10, 2026
CVE-2026-55476MEDIUM5.3
  • NixOS logoNixOS
  • snipe-it
いいえはいJul 10, 2026

無料の脆弱性評価

クラウドセキュリティポスチャーのベンチマーク

9つのセキュリティドメインにわたるクラウドセキュリティプラクティスを評価して、リスクレベルをベンチマークし、防御のギャップを特定します。

評価を依頼する

パーソナライズされたデモを見る

実際に Wiz を見てみませんか?​

"私が今まで見た中で最高のユーザーエクスペリエンスは、クラウドワークロードを完全に可視化します。"
デビッド・エストリックCISO (最高情報責任者)
"Wiz を使えば、クラウド環境で何が起こっているかを 1 つの画面で確認することができます"
アダム・フレッチャーチーフ・セキュリティ・オフィサー
"Wizが何かを重要視した場合、それは実際に重要であることを私たちは知っています。"
グレッグ・ポニャトフスキ脅威および脆弱性管理責任者