Skip to main content

Absolute Path Traversal

CVE-2024-45290

Severity High
Score 7.5/10

Summary

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. An attacker can construct an XLSX file that links media from external URLs. When opening the XLSX file, PhpSpreadsheet retrieves the image size and type by reading the file contents, if the provided path is a URL. By using specially crafted "php://filter" URLs, an attacker can leak the contents of any file or URL. Note that this vulnerability is different from GHSA-w9xv-qf98-ccq4 and resides in a different component. An attacker can access any file on the server or leak information from arbitrary URLs, potentially exposing sensitive information such as AWS IAM credentials. This issue affects phpoffice/phpspreadsheet versions through 1.29.1, 2.0.0 through 2.1.0, and 2.2.0 through 2.2.2. All users are advised to upgrade. There are no known workarounds for this vulnerability.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • NONE
  • HIGH
  • NONE

CWE-36 - Absolute Path Traversal

The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.

Advisory Timeline

  • Published