cbcvebase.
CVE-2017-5869
published 2017-03-24

CVE-2017-5869: Directory traversal vulnerability in the file import feature in Nuxeo Platform 6.0, 7.1, 7.2, and 7.3 allows remote authenticated users to upload and execute…

PriorityP271high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
34.59%
98.2th percentile
Directory traversal vulnerability in the file import feature in Nuxeo Platform 6.0, 7.1, 7.2, and 7.3 allows remote authenticated users to upload and execute arbitrary JSP code via a .. (dot dot) in the X-File-Name header.

Affected

4 ranges
VendorProductVersion rangeFixed in
nuxeonuxeo
nuxeonuxeo
nuxeonuxeo
nuxeonuxeo

Detection & IOCsextracted from sources · hover to see the quote

path../../nxserver/nuxeo.war/shell.jsp
url/nuxeo/site/automation/batch/upload
url/nuxeo/nxstartup.faces
url/nuxeo/login.jsp
pathnxserver/nuxeo.war/
  • Detect directory traversal in the X-File-Name HTTP request header targeting the batch upload endpoint; look for '../' sequences in the header value on POST requests to /site/automation/batch/upload.
  • Alert on HTTP POST requests to /site/automation/batch/upload that include the headers X-Batch-Id, X-File-Size, X-File-Idx, and X-File-Name containing '../../' path traversal sequences.
  • Monitor for creation of new .jsp files under the nuxeo.war web root directory (e.g., nxserver/nuxeo.war/*.jsp), which may indicate a successfully uploaded webshell.
  • After webshell upload, attackers trigger execution via a GET request to the uploaded JSP filename under the /nuxeo/ path; monitor for GET requests to random 8-character alpha .jsp filenames under the Nuxeo web root.
  • ·Exploitation requires valid authenticated credentials; unauthenticated attackers cannot exploit this vulnerability directly.
  • ·The vulnerability only affects Nuxeo 6.0, 7.1, 7.2, and 7.3; versions 7.4 and above (including 7.10 LTS and 8.10 LTS) are not affected. Nuxeo 6.0 HF35 is the patched release for the 6.0 branch.
  • ·The default TARGETURI for the Metasploit module is /nuxeo; deployments at non-default paths will require adjusted detection signatures.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.