Erugo is a self-hosted file-sharing platform. In versions up to and including 0.2.14, an authenticated low-privileged user can upload arbitrary files to any specified location due to insufficient validation of user‑supplied paths when creating shares. By specifying a writable path within the public web root, an attacker can upload and execute arbitrary code on the server, resulting in remote code execution (RCE). This vulnerability allows a low-privileged user to fully compromise the affected Erugo instance. Version 0.2.15 fixes the issue.
When creating a share, the application does not properly validate the target path specified by the user, which enables a path traversal attack. The attacker can specify a writable path within the public web root directory and upload any file there (e.g., a server script). A file uploaded in this way can then be executed by the web server, leading to remote code execution (RCE). As a result, a user with minimal privileges can gain full control over the Erugo instance.
The attacker can execute arbitrary code on the server, gaining full control over the Erugo instance, including access to stored data, and the ability to compromise the confidentiality, integrity, and availability of the system.
Erugo should be updated to version 0.2.15, which eliminates the described vulnerability. The appropriate commit (256bc63831a0b5e9a94cb024a0724e0cd5fa5e38) and official release v0.2.15 are available in the vendor's repository.
Erugo in versions up to and including 0.2.14 (self-hosted). Any user account in the application is required.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HErugo
APPErugo≤ 0.2.14