cbcvebase.
CVE-2017-5982
published 2017-02-28

CVE-2017-5982: Directory traversal vulnerability in the Chorus2 2.4.2 add-on for Kodi allows remote attackers to read arbitrary files via a %2E%2E%252e (encoded dot dot…

PriorityP272high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
77.63%
99.5th percentile
Directory traversal vulnerability in the Chorus2 2.4.2 add-on for Kodi allows remote attackers to read arbitrary files via a %2E%2E%252e (encoded dot dot slash) in the image path, as demonstrated by image/image%3A%2F%2F%2e%2e%252fetc%252fpasswd.

Affected

5 ranges
VendorProductVersion rangeFixed in
debiankodi< kodi 2:18.6+dfsg1-1 (bookworm)kodi 2:18.6+dfsg1-1 (bookworm)
kodikodi
kodikodi>= 0 < 2:18.6+dfsg1-12:18.6+dfsg1-1
kodikodi>= 0 < 2:18.6+dfsg1-12:18.6+dfsg1-1
kodikodi>= 0 < 2:18.6+dfsg1-12:18.6+dfsg1-1

Detection & IOCsextracted from sources · hover to see the quote

url/image/image%3A%2F%2F%2e%2e%252fetc%252fpasswd
path/image/image%3A%2F%2F%2e%2e%252fetc%252fpasswd
bytes
%2E%2E%252e
  • Look for HTTP GET requests to the /image/ endpoint containing double-encoded dot-dot sequences (%252e or %252f) in the path, indicative of directory traversal attempts against Kodi's Chorus2 web interface.
  • A successful exploitation response will return HTTP 200 with /etc/passwd content; match on 'root:[x*]:0:0' in the response body to confirm file read.
  • The vulnerability resides specifically in the Chorus2 2.4.2 add-on for Kodi (versions before 17.1); target detection at Kodi's default web interface port.
  • A Metasploit auxiliary scanner module exists for this vulnerability: modules/auxiliary/scanner/http/kodi_traversal.rb — presence of this module in use can be detected via its characteristic HTTP request patterns.
  • ·The vulnerability is exploitable without authentication (PR:N, UI:N), meaning no credentials are required to trigger the directory traversal.
  • ·Exploitation requires double URL-encoding of the traversal sequence; single-encoded traversal attempts (%2e%2e%2f) may not trigger the vulnerability and could produce false negatives in detection.
  • ·Debian-based systems running Kodi >= 2:18.6+dfsg1-1 are patched; detection rules should account for patched deployments to reduce false positives.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.