Crafatar Minecraft Avatar Service Vulnerability Allows Access to Files Outside Container

CVSScvssV3_1: 7.5

Crafatar is a service that allows users to generate Minecraft avatars from their skin files. It was found that older versions of the Crafatar server software could be exploited to access files outside of the designated public directory.

As the server runs the avatar generation application inside a Docker container, an attacker could make requests to read arbitrary files on the server by specifying file paths outside of the container. While no sensitive files were exposed by default, this could allow an attacker to access configuration files or other data not intended to be publicly accessible.

The vulnerability was possible due to a lack of input validation when handling file path parameters. By crafting a request with a path outside the public file location, a hacker could retrieve contents they shouldn’t have access to.

Luckily, the issue was only present in older versions of Crafatar that are no longer supported. Users running the latest version are protected. However, it’s always a good idea to keep any applications or servers up-to-date with the latest security patches to prevent exploitation of known issues. Proper input validation is also important for any web application that allows file retrieval by path.

While this vulnerability has been addressed, it serves as a reminder for service providers to carefully check access controls and validate user-provided data to avoid unintended data leaks or unauthorized access in their applications. Staying on top of updates also helps users and site owners alike to remain secure.