Impact
In Runtipi versions 4.9.1 through 4.9.3, the marketplace app logo endpoint serves files from cloned repositories without authentication, allowing a malicious symlink to point to a sensitive file. The path guard only checks the lexical path, so the server can read and return the target file contents, leading to disclosure of environment files, secrets, logs, and application data.
Affected Systems
The vulnerable Runtipi products are the Runtipi orchestrator running versions 4.9.1, 4.9.2, and 4.9.3. Containers or deployments that host these versions are at risk if they expose the marketplace endpoint to the network.
Risk and Exploitability
The CVSS score of 6.5 indicates moderate severity. The EPSS score is below 1 %, suggesting a low likelihood of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Nevertheless, because the endpoint is unauthenticated and publicly reachable, an attacker with network access can exploit it by uploading a repository containing a malicious logo symlink. The attack does not require elevated privileges and can reveal critical configuration and secret information.
OpenCVE Enrichment