CVE-2017-10974
published 2017-07-07CVE-2017-10974: Yaws 1.91 allows Unauthenticated Remote File Disclosure via HTTP Directory Traversal with /%5C../ to port 8080. NOTE: this CVE is only about use of an initial…
PriorityP182high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
81.03%
99.6th percentile
Yaws 1.91 allows Unauthenticated Remote File Disclosure via HTTP Directory Traversal with /%5C../ to port 8080. NOTE: this CVE is only about use of an initial /%5C sequence to defeat traversal protection mechanisms; the initial /%5C sequence was apparently not discussed in earlier research on this product.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | yaws | < yaws 1.91-2 (bookworm) | yaws 1.91-2 (bookworm) |
| yaws | yaws | — | — |
| yaws | yaws | >= 0 < 1.91-2 | 1.91-2 |
| yaws | yaws | >= 0 < 1.91-2 | 1.91-2 |
| yaws | yaws | >= 0 < 1.91-2 | 1.91-2 |
| yaws | yaws | >= 0 < 1.91-2 | 1.91-2 |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
id: CVE-2017-10974
info:
name: Yaws 1.91 - Local File Inclusion
author: 0x_Akoko
severity: high
http:
- method: GET
path:
- "{{BaseURL}}/%5C../ssl/yaws-key.pem"
matchers-condition: and
matchers:
- type: dsl
dsl:
- '!contains(tolower(body), "<html")'
- type: word
words:
- "BEGIN RSA PRIVATE KEY"
- type: status
status:
- 200- →Detect directory traversal attempts against Yaws by looking for the encoded backslash sequence `%5C` followed by `../` in HTTP request URIs, specifically targeting port 8080. ↗
- →Alert on HTTP GET requests containing `/%5C../ssl/yaws-key.pem` — this is the primary exploit path used to steal the server's RSA private key. ↗
- →Alert on HTTP GET requests containing `/%5C../logs/` — this path is used to exfiltrate Yaws access logs. ↗
- →In HTTP responses, the presence of `BEGIN RSA PRIVATE KEY` in the body of a 200 OK response to a Yaws server is a strong indicator of successful exploitation. ↗
- →The `%5C` prefix is specifically used to defeat Yaws traversal protection mechanisms; standard `../` traversal detection may miss this variant — ensure URL-decoding is applied before matching. ↗
- ·This vulnerability affects Yaws version 1.91 specifically. Debian-based systems with package version 1.91-2 or later have the fix applied and are not vulnerable. ↗
- ·The exploit requires network reachability to port 8080 on the target Yaws server; the attack is unauthenticated and requires no credentials. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.5HIGH
vulncheck7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jxfg-w2gp-7257: Yaws 1
ghsa_unreviewed·2022-05-17
CVE-2017-10974 [HIGH] CWE-22 GHSA-jxfg-w2gp-7257: Yaws 1
Yaws 1.91 allows Unauthenticated Remote File Disclosure via HTTP Directory Traversal with /%5C../ to port 8080. NOTE: this CVE is only about use of an initial /%5C sequence to defeat traversal protection mechanisms; the initial /%5C sequence was apparently not discussed in earlier research on this product.
OSV
CVE-2017-10974: Yaws 1
osv·2017-07-07·CVSS 7.5
CVE-2017-10974 [HIGH] CVE-2017-10974: Yaws 1
Yaws 1.91 allows Unauthenticated Remote File Disclosure via HTTP Directory Traversal with /%5C../ to port 8080. NOTE: this CVE is only about use of an initial /%5C sequence to defeat traversal protection mechanisms; the initial /%5C sequence was apparently not discussed in earlier research on this product.
VulnCheck
yaws yaws Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2017·CVSS 7.5
CVE-2017-10974 [HIGH] yaws yaws Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
yaws yaws Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Yaws 1.91 allows Unauthenticated Remote File Disclosure via HTTP Directory Traversal with /%5C../ to port 8080. NOTE: this CVE is only about use of an initial /%5C sequence to defeat traversal protection mechanisms; the initial /%5C sequence was apparently not discussed in earlier research on this product.
Affected: yaws yaws
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-03&host_type=src&vulnerability=cve-2017-10974; https://dashboard.shadowserver.org/statistics/honeypot/vulnerabil
Debian
CVE-2017-10974: yaws - Yaws 1.91 allows Unauthenticated Remote File Disclosure via HTTP Directory Trave...
vendor_debian·2017·CVSS 7.5
CVE-2017-10974 [HIGH] CVE-2017-10974: yaws - Yaws 1.91 allows Unauthenticated Remote File Disclosure via HTTP Directory Trave...
Yaws 1.91 allows Unauthenticated Remote File Disclosure via HTTP Directory Traversal with /%5C../ to port 8080. NOTE: this CVE is only about use of an initial /%5C sequence to defeat traversal protection mechanisms; the initial /%5C sequence was apparently not discussed in earlier research on this product.
Scope: local
bookworm: resolved (fixed in 1.91-2)
bullseye: resolved (fixed in 1.91-2)
forky: resolved (fixed in 1.91-2)
sid: resolved (fixed in 1.91-2)
trixie: resolved (fixed in 1.91-2)
No detection rules found.
Exploit-DB
Yaws 1.91 - Remote File Disclosure
exploitdb·2017-07-07·CVSS 7.5
CVE-2017-10974 [HIGH] Yaws 1.91 - Remote File Disclosure
Yaws 1.91 - Remote File Disclosure
---
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/YAWS-WEB-SERVER-v1.91-UNAUTHENTICATED-REMOTE-FILE-DISCLOSURE.txt
[+] ISR: ApparitionSec
Vendor:
yaws.hyber.org
Product:
Yaws v1.91 (Yet Another Web Server)
Yaws is a HTTP high perfomance 1.1 webserver particularly well suited for dynamic-content web applications.
Two separate modes of operations are supported:
Standalone mode where Yaws runs as a regular webserver daemon. This is the default mode.
Embedded mode where Yaws runs as an embedded webserver in another Erlang application.
Vulnerability Type:
Unauthenticated Remote File Disclosure
CVE Reference:
CVE-2017-10974
Security Issue:
Remote attackers who can
Nuclei
Yaws 1.91 - Local File Inclusion
nuclei·CVSS 7.5
CVE-2017-10974 [HIGH] Yaws 1.91 - Local File Inclusion
Yaws 1.91 - Local File Inclusion
Yaws 1.91 allows unauthenticated local file inclusion via /%5C../ submitted to port 8080.
Template:
id: CVE-2017-10974
info:
name: Yaws 1.91 - Local File Inclusion
author: 0x_Akoko
severity: high
description: Yaws 1.91 allows unauthenticated local file inclusion via /%5C../ submitted to port 8080.
impact: |
The vulnerability allows an attacker to include local files on the server, potentially leading to unauthorized access or information disclosure.
remediation: |
Upgrade to a patched version of Yaws or apply the necessary security patches.
reference:
- https://www.exploit-db.com/exploits/42303
- https://nvd.nist.gov/vuln/detail/CVE-2017-10974
- http://hyp3rlinx.altervista.org/advisories/YAWS-WEB-SERVER-v1.91-UNAUTHENTICATED-REMOTE-FILE-DISCLOSURE.txt
-
http://hyp3rlinx.altervista.org/advisories/YAWS-WEB-SERVER-v1.91-UNAUTHENTICATED-REMOTE-FILE-DISCLOSURE.txthttp://www.securityfocus.com/bid/99515https://www.exploit-db.com/exploits/42303/http://hyp3rlinx.altervista.org/advisories/YAWS-WEB-SERVER-v1.91-UNAUTHENTICATED-REMOTE-FILE-DISCLOSURE.txthttp://www.securityfocus.com/bid/99515https://www.exploit-db.com/exploits/42303/
2017-07-07
Published
Exploited in the wild