### ### Impact
There was a path traversal flaw in handling the CheckFileInfo BaseFileName field returned from WOPI servers which allowed writing a file anywhere where the uid running Collabora Online can write if such a response was supplied by a malicious WOPI server. By combining this flaw with a Time of Check, Time of Use DNS lookup issue with a WOPI server address under attacker control it is possible to present such a response to be processed by a Collabora Online instance.
Patches
In versions, 24.04.12.4, 23.05.19, 22.05.25 or later the CheckFileInfo BaseFileName field is rejected if it does not confirm to the specification that requires it to not contain a path. An internal DNS cache was extended to give consistent results for back to back DNS lookups.
Credits
Thanks to truff - https://x.com/truffzor for reporting this flaw
truff77 Finder
### ### Impact
There was a path traversal flaw in handling the CheckFileInfo BaseFileName field returned from WOPI servers which allowed writing a file anywhere where the uid running Collabora Online can write if such a response was supplied by a malicious WOPI server. By combining this flaw with a Time of Check, Time of Use DNS lookup issue with a WOPI server address under attacker control it is possible to present such a response to be processed by a Collabora Online instance.
Patches
In versions, 24.04.12.4, 23.05.19, 22.05.25 or later the CheckFileInfo BaseFileName field is rejected if it does not confirm to the specification that requires it to not contain a path. An internal DNS cache was extended to give consistent results for back to back DNS lookups.
Credits
Thanks to truff - https://x.com/truffzor for reporting this flaw