SB2020050425 - Multiple vulnerabilities in TeamPass

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Path traversal (CVE-ID: CVE-2020-12479)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in "newValue" parameter in "sources/users.queries.php". A remote authenticated attacker can send a specially crafted HTTP request and read arbitrary files on the system.

2) Improper Authentication (CVE-ID: CVE-2020-12477)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in when processing authentication requests in the REST API functions. A remote authenticated attacker can bypass IP address whitelist restrictions via an X-Forwarded-For client HTTP header to the "getIp" function.

3) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: CVE-2020-12478)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to improper validation of input. A remote attacker can  retrieve files from the TeamPass web root. This may include backups or LDAP debug files.

Remediation

Install update from vendor's website.

References

• https://github.com/nilsteampassnet/TeamPass/issues/2762
• https://github.com/nilsteampassnet/TeamPass/issues/2761
• https://github.com/nilsteampassnet/TeamPass/issues/2764