Lucene search

K

[email protected]NVD:CVE-2023-34096

HistoryJun 08, 2023 - 7:15 p.m.

CVE-2023-34096

2023-06-0819:15:09

CWE-22

[email protected]

web.nvd.nist.gov

thruk

webinterface

path traversal

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.5 High

AI Score

Confidence

High

0.039 Low

EPSS

Percentile

92.0%

Thruk is a multibackend monitoring webinterface which currently supports Naemon, Icinga, Shinken and Nagios as backends. In versions 3.06 and prior, the file panorama.pm is vulnerable to a Path Traversal vulnerability which allows an attacker to upload a file to any folder which has write permissions on the affected system. The parameter location is not filtered, validated or sanitized and it accepts any kind of characters. For a path traversal attack, the only characters required were the dot (.) and the slash (/). A fix is available in version 3.06.2.

Affected configurations

NVD

Node

thrukthrukRange<3.06.2

References

packetstormsecurity.com/files/172822/Thruk-Monitoring-Web-Interface-3.06-Path-Traversal.html

galogetlatorre.blogspot.com/2023/06/cve-2023-34096-path-traversal-thruk.html

github.com/galoget/Thruk-CVE-2023-34096

github.com/sni/Thruk/blob/1bc5a5804bf9fc22e82a4eadb21a1795954f0867/plugins/plugins-available/panorama/lib/Thruk/Controller/panorama.pm#L690

github.com/sni/Thruk/blob/1bc5a5804bf9fc22e82a4eadb21a1795954f0867/plugins/plugins-available/panorama/lib/Thruk/Controller/panorama.pm#L705

github.com/sni/Thruk/blob/1bc5a5804bf9fc22e82a4eadb21a1795954f0867/plugins/plugins-available/panorama/lib/Thruk/Controller/panorama.pm#L727

github.com/sni/Thruk/blob/1bc5a5804bf9fc22e82a4eadb21a1795954f0867/plugins/plugins-available/panorama/lib/Thruk/Controller/panorama.pm#L735

github.com/sni/Thruk/commit/26de047275c355c5ae2bbbc51b164f0f8bef5c5b

github.com/sni/Thruk/commit/cf03f67621b7bb20e2c768bc62b30e976206aa17

github.com/sni/Thruk/security/advisories/GHSA-vhqc-649h-994h

www.exploit-db.com/exploits/51509

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.5 High

AI Score

Confidence

High

0.039 Low

EPSS

Percentile

92.0%

Related for NVD:CVE-2023-34096

githubexploit1 cve1 zdt1 prion1 cvelist1 osv1 packetstorm1 exploitdb1