CVE-2026-42275

HIGH8.7EPSS 0.05%

zrok: WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/write

發布日:2026/4/25修改日:2026/5/12

描述

**Summary** The zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared DriveRoot points to a location outside that root, remote WebDAV consumers can read files and—on shares without OS-level permission restrictions—write or overwrite files anywhere on the host filesystem accessible to the zrok process. - Attack Vector: Network — exploitation is performed entirely over the WebDAV endpoint; the attacker issues HTTP requests to the public zrok share URL. - Attack Complexity: High — a precondition outside the attacker's direct control must hold: a symlink pointing outside DriveRoot must already exist within it (created locally, not via WebDAV). - Privileges Required: None — zrok share public --backend-mode drive exposes the WebDAV endpoint with no authentication by default. - User Interaction: None — once the symlink precondition is met, exploitation requires no user interaction. - Scope: Changed — the vulnerability allows an attacker to escape the WebDAV root (the security boundary) and access the broader host filesystem. - Confidentiality Impact: High — arbitrary files readable by the zrok process can be retrieved. - Integrity Impact: High — the WebDAV PUT handler opens files with O_RDWR|O_CREATE|O_TRUNC, meaning symlink targets outside DriveRoot can be overwritten (e.g. ~/.ssh/authorized_keys). - Availability Impact: None — no direct availability impact. Affected Components - drives/davServer/file.go — Dir.OpenFile (line 140), Dir.Stat (line 176), Dir.Mkdir (line 133), Dir.RemoveAll (line 151) - endpoints/drive/backend.go — NewBackend (line 51–52)

受影響套件(2)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 3.1HIGH8.7CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

參考連結(5)