Description
Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission (default on hosted Weblate SaaS and for any user holding an active billing/trial plan) can import a crafted project backup ZIP whose components/<name>.json contains an attacker-chosen repo URL pointing at a private address (e.g. http://127.0.0.1:9999/) or using a non-allow-listed scheme (e.g. file://, git://). Weblate persists the component via Component.objects.bulk_create([component])[0], which bypasses Django's full_clean() and therefore never runs the validate_repo_url validator. The URL is subsequently written verbatim into .git/config by configure_repo(pull=False). This issue has been patched in version 5.17.1.
CVSS breakdown
CVSS 4.0
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
Low
User Interaction
None
Confidentiality (Vulnerable System)
Low
Integrity (Vulnerable System)
None
Availability (Vulnerable System)
None
Confidentiality (Subsequent System)
Low
Integrity (Subsequent System)
None
Availability (Subsequent System)
None
Affected products
- WeblateOrg / weblate< 5.17.1 – < 5.17.1
References
- VENDOR_ADVISORYhttps://github.com/WeblateOrg/weblate/security/advisories/GHSA-cwcx-382v-8m9g
- PATCHhttps://github.com/WeblateOrg/weblate/pull/19061
- PATCHhttps://github.com/WeblateOrg/weblate/pull/19062
- PATCHhttps://github.com/WeblateOrg/weblate/commit/e1eff1f517c1ee315d69581910baaabb724e5ef0
- PATCHhttps://github.com/WeblateOrg/weblate/commit/e4b67a76d95d5165ecb9937f7485fd79223b7f14
- PATCHhttps://github.com/WeblateOrg/weblate/releases/tag/weblate-5.17.1