CVE-2017-5869
published 2017-03-24CVE-2017-5869: Directory traversal vulnerability in the file import feature in Nuxeo Platform 6.0, 7.1, 7.2, and 7.3 allows remote authenticated users to upload and execute…
PriorityP271high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
34.59%
98.2th percentile
Directory traversal vulnerability in the file import feature in Nuxeo Platform 6.0, 7.1, 7.2, and 7.3 allows remote authenticated users to upload and execute arbitrary JSP code via a .. (dot dot) in the X-File-Name header.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nuxeo | nuxeo | — | — |
| nuxeo | nuxeo | — | — |
| nuxeo | nuxeo | — | — |
| nuxeo | nuxeo | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect directory traversal in the X-File-Name HTTP request header targeting the batch upload endpoint; look for '../' sequences in the header value on POST requests to /site/automation/batch/upload. ↗
- →Alert on HTTP POST requests to /site/automation/batch/upload that include the headers X-Batch-Id, X-File-Size, X-File-Idx, and X-File-Name containing '../../' path traversal sequences. ↗
- →Monitor for creation of new .jsp files under the nuxeo.war web root directory (e.g., nxserver/nuxeo.war/*.jsp), which may indicate a successfully uploaded webshell. ↗
- →After webshell upload, attackers trigger execution via a GET request to the uploaded JSP filename under the /nuxeo/ path; monitor for GET requests to random 8-character alpha .jsp filenames under the Nuxeo web root. ↗
- ·Exploitation requires valid authenticated credentials; unauthenticated attackers cannot exploit this vulnerability directly. ↗
- ·The vulnerability only affects Nuxeo 6.0, 7.1, 7.2, and 7.3; versions 7.4 and above (including 7.10 LTS and 8.10 LTS) are not affected. Nuxeo 6.0 HF35 is the patched release for the 6.0 branch. ↗
- ·The default TARGETURI for the Metasploit module is /nuxeo; deployments at non-default paths will require adjusted detection signatures. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://www.openwall.com/lists/oss-security/2017/03/23/6http://www.securityfocus.com/bid/97083https://sysdream.com/news/lab/2017-03-23-cve-2017-5869-nuxeo-platform-remote-code-execution/https://www.exploit-db.com/exploits/41748/http://www.openwall.com/lists/oss-security/2017/03/23/6http://www.securityfocus.com/bid/97083https://sysdream.com/news/lab/2017-03-23-cve-2017-5869-nuxeo-platform-remote-code-execution/https://www.exploit-db.com/exploits/41748/
2017-03-24
Published