Insufficient input validation allowed a directory traversal vulnerability. Any admin config and file readable by the app can be retrieved by the attacker. Furthermore, some files can also be moved or deleted.



Tested Version

Commit d27ed0f5


The GetImageServlet API endpoint accepts a user-controlled image_path that is used to build the path to a stored image. The content that is stored at the path image_path is then returned to the user, but image_path is not sanitized which allows directory traversal and arbitrary file reads.

String image_path = post.get("image",""); // <- user-controlled
imageFile = new File(DAO.data_dir  + File.separator + "image_uploads" + File.separator + image_path);
ByteArrayOutputStream data = new ByteArrayOutputStream();
InputStream is = new BufferedInputStream(new FileInputStream(imageFile));
// `is` is written to `data`
ServletOutputStream sos = response.getOutputStream();
sos.write(data.toByteArray()); // <- write content back to user

There are further similar vulnerabilities that all have been fixed by ensuring that directory traversal is not possible anymore.
For further information please visit my research article that shows how to escalate an arbitrary file write to remote code execution (RCE).


Remote code execution as shown in my research article.



Github Advisories


Coordinated Disclosure Timeline

  • 2020-03-06: Asked to open a Github security advisory.
  • 2020-03-10: Invited to Github security advisory.
  • 2020-05-13: Issue is patched.
  • 2020-06-08: CVE is assigned.
  • 2020-10-15: Advisory is published.


This issue was discovered and reported by @intrigus-lgtm.


You can contact the ISL at Please include a reference to ISL-2020-001 in any communication regarding this issue.