From 6b5246f619a0b9b09fbcd3873dc7ae302eca3525 Mon Sep 17 00:00:00 2001
From: Al Snow <jasnow@hotmail.com>
Date: Tue, 8 Oct 2024 16:23:05 -0400
Subject: [PATCH 1/2] GHSA SYNC: 1 brand new advisory

---
 gems/camaleon_cms/CVE-2024-46987.yml | 72 ++++++++++++++++++++++++++++
 1 file changed, 72 insertions(+)
 create mode 100644 gems/camaleon_cms/CVE-2024-46987.yml

diff --git a/gems/camaleon_cms/CVE-2024-46987.yml b/gems/camaleon_cms/CVE-2024-46987.yml
new file mode 100644
index 0000000000..b8c3f743c9
--- /dev/null
+++ b/gems/camaleon_cms/CVE-2024-46987.yml
@@ -0,0 +1,72 @@
+---
+gem: camaleon_cms
+cve: 2024-46987
+ghsa: cp65-5m9r-vc2c
+url: https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-cp65-5m9r-vc2c
+title: Camaleon CMS vulnerable to arbitrary path traversal (GHSL-2024-183)
+date: 2024-09-18
+description: |
+  A path traversal vulnerability accessible via MediaController's
+  download_private_file method allows authenticated users to download
+  any file on the web server Camaleon CMS is running on (depending
+  on the file permissions).
+
+  In the [download_private_file](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L28)
+  method:
+  ```ruby
+  def download_private_file
+    cama_uploader.enable_private_mode!
+
+    file = cama_uploader.fetch_file("private/#{params[:file]}")
+
+    send_file file, disposition: 'inline'
+  end
+  ```
+
+  The file parameter is passed to the [fetch_file](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_local_uploader.rb#L27)
+  method of the CamaleonCmsLocalUploader class (when files are uploaded locally):
+  ```ruby
+  def fetch_file(file_name)
+    raise ActionController::RoutingError, 'File not found' unless file_exists?(file_name)
+
+    file_name
+  end
+  ```
+
+  If the file exists it's passed back to the download_private_file method
+  where the file is sent to the user via
+  send_file](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L33-L34).
+
+  Proof of concept
+
+  An authenticated user can download the /etc/passwd file by visiting an URL such as:
+
+  https://<camaleon-host>/admin/media/download_private_file?file=../../../../../../etc/passwd
+
+  Impact
+
+  This issue may lead to Information Disclosure.
+
+  Remediation
+
+  Normalize file paths constructed from untrusted user input before using
+  them and check that the resulting path is inside the targeted directory.
+  Additionally, do not allow character sequences such as .. in untrusted
+  input that is used to build paths.
+
+  See also:
+
+  [CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/)
+  [OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)
+cvss_v3: 7.7
+patched_versions:
+  - ">= 2.8.1"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-46987
+    - https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-cp65-5m9r-vc2c
+    - https://github.com/owen2345/camaleon-cms/commit/071b1b09d6d61ab02a5960b1ccafd9d9c2155a3e
+    - https://codeql.github.com/codeql-query-help/ruby/rb-path-injection
+    - https://owasp.org/www-community/attacks/Path_Traversal
+    - https://www.reddit.com/r/rails/comments/1exwtdm/camaleon_cms_281_has_been_released
+    - https://github.com/advisories/GHSA-cp65-5m9r-vc2c

From 15cc846ca5a9d50dd009de56a17dfd5dc3bfb9cb Mon Sep 17 00:00:00 2001
From: Postmodern <postmodern.mod3@gmail.com>
Date: Tue, 8 Oct 2024 16:15:11 -0700
Subject: [PATCH 2/2] Cleaned up the markdown formatting of the `description`

---
 gems/camaleon_cms/CVE-2024-46987.yml | 34 ++++++++++++++++------------
 1 file changed, 20 insertions(+), 14 deletions(-)

diff --git a/gems/camaleon_cms/CVE-2024-46987.yml b/gems/camaleon_cms/CVE-2024-46987.yml
index b8c3f743c9..94bfc5db0c 100644
--- a/gems/camaleon_cms/CVE-2024-46987.yml
+++ b/gems/camaleon_cms/CVE-2024-46987.yml
@@ -11,8 +11,8 @@ description: |
   any file on the web server Camaleon CMS is running on (depending
   on the file permissions).
 
-  In the [download_private_file](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L28)
-  method:
+  In the [download_private_file] method:
+
   ```ruby
   def download_private_file
     cama_uploader.enable_private_mode!
@@ -23,8 +23,11 @@ description: |
   end
   ```
 
-  The file parameter is passed to the [fetch_file](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_local_uploader.rb#L27)
-  method of the CamaleonCmsLocalUploader class (when files are uploaded locally):
+  [download_private_file]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L28
+
+  The file parameter is passed to the [fetch_file] method of the
+  CamaleonCmsLocalUploader class (when files are uploaded locally):
+
   ```ruby
   def fetch_file(file_name)
     raise ActionController::RoutingError, 'File not found' unless file_exists?(file_name)
@@ -33,31 +36,34 @@ description: |
   end
   ```
 
+  [fetch_file]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_local_uploader.rb#L27
+
   If the file exists it's passed back to the download_private_file method
-  where the file is sent to the user via
-  send_file](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L33-L34).
+  where the file is sent to the user via [send_file].
+
+  [send_file]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L33-L34
 
-  Proof of concept
+  ## Proof of concept
 
   An authenticated user can download the /etc/passwd file by visiting an URL such as:
 
-  https://<camaleon-host>/admin/media/download_private_file?file=../../../../../../etc/passwd
+      https://<camaleon-host>/admin/media/download_private_file?file=../../../../../../etc/passwd
 
-  Impact
+  ## Impact
 
   This issue may lead to Information Disclosure.
 
-  Remediation
+  ## Remediation
 
   Normalize file paths constructed from untrusted user input before using
   them and check that the resulting path is inside the targeted directory.
-  Additionally, do not allow character sequences such as .. in untrusted
+  Additionally, do not allow character sequences such as `..` in untrusted
   input that is used to build paths.
 
-  See also:
+  ## See Also
 
-  [CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/)
-  [OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)
+  * [CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/)
+  * [OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)
 cvss_v3: 7.7
 patched_versions:
   - ">= 2.8.1"