Impact
Shields.io and users self-hosting their own instance of shields using version < server-2024-09-25 are vulnerable to a remote execution vulnerability via the JSONPath library used by the Dynamic JSON/Toml/Yaml badges. This vulnerability would allow any user with access to make a request to a URL on the instance the ability to execute code by crafting a malicious JSONPath expression. All users who self-host an instance are vulnerable.
Patches
This problem was fixed in PR #10551 . Self-hosting users should upgrade immediately.
If you follow the tagged releases, update to server-2024-09-25 or later.
If you follow the rolling tag on DockerHub, docker pull shieldsio/shields:next to update to the latest version.
Workarounds
The best way to resolve this issue is by upgrading to a fixed version. However blocking access to the endpoints
/badge/dynamic/json/badge/dynamic/toml/badge/dynamic/yaml
(e.g: via a firewall or reverse proxy in front of your instance) would prevent the exploitable endpoints from being accessed.
References
If you have any questions or comments about this advisory:
nickcopi Reporter
Impact
Shields.io and users self-hosting their own instance of shields using version <
server-2024-09-25are vulnerable to a remote execution vulnerability via the JSONPath library used by the Dynamic JSON/Toml/Yaml badges. This vulnerability would allow any user with access to make a request to a URL on the instance the ability to execute code by crafting a malicious JSONPath expression. All users who self-host an instance are vulnerable.Patches
This problem was fixed in PR #10551 . Self-hosting users should upgrade immediately.
If you follow the tagged releases, update to
server-2024-09-25or later.If you follow the rolling tag on DockerHub,
docker pull shieldsio/shields:nextto update to the latest version.Workarounds
The best way to resolve this issue is by upgrading to a fixed version. However blocking access to the endpoints
/badge/dynamic/json/badge/dynamic/toml/badge/dynamic/yaml(e.g: via a firewall or reverse proxy in front of your instance) would prevent the exploitable endpoints from being accessed.
References
If you have any questions or comments about this advisory: