NodeBB Arbitrary JSON File Read (CVE-2021-43788)
Description
NodeBB versions prior to 1.18.5 contain a path traversal vulnerability (CVE-2021-43788) that allows authenticated attackers with low-level privileges to read arbitrary JSON files from the server's filesystem. This vulnerability enables unauthorized access to sensitive configuration files, user data, and other JSON-formatted information stored on the server.
Remediation
Upgrade NodeBB to version 1.18.5 or later immediately. Follow these steps:
1. Back up your current NodeBB installation and database
2. Review the NodeBB upgrade documentation for version-specific migration notes
3. Update NodeBB using your package manager (e.g., npm update nodebb) or download the latest release from the official repository
4. Restart the NodeBB service after the upgrade
5. Verify the installation by checking the version number in the admin panel
6. Review server logs for any suspicious file access attempts that may have occurred before patching
7. Consider rotating sensitive credentials (database passwords, API keys) that may have been exposed through JSON configuration files