cbcvebase.
CVE-2017-10974
published 2017-07-07

CVE-2017-10974: Yaws 1.91 allows Unauthenticated Remote File Disclosure via HTTP Directory Traversal with /%5C../ to port 8080. NOTE: this CVE is only about use of an initial…

PriorityP182high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
81.03%
99.6th percentile
Yaws 1.91 allows Unauthenticated Remote File Disclosure via HTTP Directory Traversal with /%5C../ to port 8080. NOTE: this CVE is only about use of an initial /%5C sequence to defeat traversal protection mechanisms; the initial /%5C sequence was apparently not discussed in earlier research on this product.

Affected

6 ranges
VendorProductVersion rangeFixed in
debianyaws< yaws 1.91-2 (bookworm)yaws 1.91-2 (bookworm)
yawsyaws
yawsyaws>= 0 < 1.91-21.91-2
yawsyaws>= 0 < 1.91-21.91-2
yawsyaws>= 0 < 1.91-21.91-2
yawsyaws>= 0 < 1.91-21.91-2

Detection & IOCsextracted from sources · hover to see the quote

url/%5C../ssl/yaws-key.pem
url/%5C../logs/localhost.8080.access
path/%5C../
port8080
filenameyaws-key.pem
sigma
id: CVE-2017-10974
info:
  name: Yaws 1.91 - Local File Inclusion
  author: 0x_Akoko
  severity: high
http:
- method: GET
  path:
  - "{{BaseURL}}/%5C../ssl/yaws-key.pem"
matchers-condition: and
matchers:
- type: dsl
  dsl:
  - '!contains(tolower(body), "<html")'
- type: word
  words:
  - "BEGIN RSA PRIVATE KEY"
- type: status
  status:
  - 200
  • Detect directory traversal attempts against Yaws by looking for the encoded backslash sequence `%5C` followed by `../` in HTTP request URIs, specifically targeting port 8080.
  • Alert on HTTP GET requests containing `/%5C../ssl/yaws-key.pem` — this is the primary exploit path used to steal the server's RSA private key.
  • Alert on HTTP GET requests containing `/%5C../logs/` — this path is used to exfiltrate Yaws access logs.
  • In HTTP responses, the presence of `BEGIN RSA PRIVATE KEY` in the body of a 200 OK response to a Yaws server is a strong indicator of successful exploitation.
  • The `%5C` prefix is specifically used to defeat Yaws traversal protection mechanisms; standard `../` traversal detection may miss this variant — ensure URL-decoding is applied before matching.
  • ·This vulnerability affects Yaws version 1.91 specifically. Debian-based systems with package version 1.91-2 or later have the fix applied and are not vulnerable.
  • ·The exploit requires network reachability to port 8080 on the target Yaws server; the attack is unauthenticated and requires no credentials.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.5HIGH
vulncheck7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.