CVE-2021-29024: 
NixOS vulnerability analysis and mitigation

In InvoicePlane 1.5.11, a misconfigured web server vulnerability was identified that allows unauthenticated directory listing and file download capabilities. The vulnerability, tracked as CVE-2021-29024, was discovered and disclosed in March 2021, affecting the InvoicePlane CRM system. This security flaw enables attackers to perform directory traversal and download private files without requiring authentication (NVD, Research Blog).

The vulnerability is classified as CWE-552 (Files or Directories Accessible to External Parties). It received a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The issue stems from improper server configuration, which bypasses the intended security controls, including .htaccess-based directory access restrictions (NVD).

The vulnerability allows unauthorized access to directory listings and file downloads, potentially exposing sensitive information stored within the InvoicePlane system. Even with implemented preventive measures like .htaccess-based restrictions, the vulnerability can still be exploited if the server is not properly configured, particularly noting that default Apache installations may not adequately protect against this issue (Research Blog).

A fix has been implemented through a pull request that adds index.html files to prevent directory listing on poorly configured servers. The solution was merged into the develop branch of InvoicePlane (GitHub PR). Additionally, proper server configuration is essential to ensure the effectiveness of the implemented .htaccess-based protection mechanisms.