A critical vulnerability has been discovered in the Iris collaborative platform, allowing an authenticated user to delete arbitrary files from the server's filesystem. This flaw can be exploited to remove critical system files, causing application failure, a complete denial of service, or permanent data loss. Due to the high severity and potential for significant operational disruption, immediate remediation is strongly advised.

This vulnerability is an arbitrary file deletion flaw resulting from a combination of mass assignment and improper path validation. An authenticated attacker can exploit this by first uploading a legitimate file to the platform's datastore. Next, the attacker leverages a mass assignment weakness to modify the file's metadata, specifically changing the file_local_name parameter to point to a sensitive file path on the server (e.g., /etc/passwd or a critical application configuration file). Finally, when the attacker initiates the delete function for their uploaded file, the system trusts the manipulated file path and deletes the targeted arbitrary file without proper validation, leading to its removal from the filesystem.

This vulnerability is rated as critical severity with a CVSS score of 9.6, reflecting the potential for severe and widespread damage. Successful exploitation could lead to the deletion of critical operating system files, application binaries, or configuration data, resulting in a complete and potentially unrecoverable denial-of-service (DoS) condition for the Iris platform and possibly the underlying server. The destruction of sensitive data or security configurations could also facilitate further attacks, compromise data integrity, and lead to significant operational downtime and costly recovery efforts.

Immediate Action: Immediately upgrade all instances of the affected Iris platform to version 2.4.24 or later, which contains the fix for this vulnerability. After patching, review web server and application access logs for any signs of exploitation, such as unusual API calls related to file updates and deletions.

Proactive Monitoring:

• Monitor web server and application logs for suspicious sequences of API calls involving file uploads, followed by updates to the file_local_name parameter, and subsequent deletions.
• Implement File Integrity Monitoring (FIM) on the server hosting Iris to generate alerts for unauthorized or unexpected deletions of critical system and application files.
• Scrutinize network traffic for requests that contain path traversal sequences (e.g., ../) within file management API endpoints.

Compensating Controls:

• If immediate patching is not feasible, implement a Web Application Firewall (WAF) rule to inspect and block requests attempting to modify the file_local_name parameter with absolute or relative file paths.
• Enforce strict file system permissions for the service account running the Iris application, limiting its ability to write to or delete files outside of its designated directories.
• Ensure regular, automated backups of the server's filesystem and application data are in place to facilitate recovery in the event of a compromise.

Public Exploit Available: false

Given the critical CVSS score of 9.6 and the potential for destructive impact, organizations must treat this vulnerability with the highest priority. Although the vulnerability requires an attacker to be authenticated, the risk of an insider threat or an attacker leveraging compromised credentials is significant. We strongly recommend applying the vendor-supplied patch to upgrade to version 2.4.24 or newer immediately across all affected systems to prevent potential system-wide denial of service and data destruction.