cbcvebase.
CVE-2018-9160
published 2018-03-31

CVE-2018-9160: SickRage before v2018.03.09-1 includes cleartext credentials in HTTP responses.

PriorityP275critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
76.52%
99.5th percentile
SickRage before v2018.03.09-1 includes cleartext credentials in HTTP responses.

Affected

4 ranges
VendorProductVersion rangeFixed in
sickragesickrage<= 9.2.101
sickragesickrage>= 0 < 2018.03.09-12018.03.09-1
sickragesickrage>= 0 < 8156a74a68aea930d1e1047baba8b115c3abfc448156a74a68aea930d1e1047baba8b115c3abfc44
sickragesickrage>= 0 < 9.3.29.3.2

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://{host}:{port}/config/general
path/config/general
  • Unauthenticated HTTP GET requests to /config/general on SickRage instances should be alerted on; the response will contain cleartext GitHub credentials in HTML input fields with id='git_username' and id='git_password'.
  • SickRage does not require login credentials by default, meaning /config/general is accessible without authentication. Monitor for unauthenticated access to this endpoint.
  • Shodan can be used to identify exposed SickRage instances; attackers may pivot from Shodan lookups to credential harvesting against /config/general.
  • ·The vulnerability only exposes credentials if the user has configured GitHub credentials in SickRage but has NOT set login protection on the SickRage web interface. Instances with login credentials configured are not exploitable via unauthenticated access.
  • ·The fix was introduced in v2018.03.09-1; the Metasploit module references a later boundary of v2018-09-03, suggesting the window of affected versions should be verified against the specific build in use.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.