cbcvebase.
CVE-2019-17538
published 2019-10-13

CVE-2019-17538: Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file reading via the web/polygon/problem/viewfile?id=1&name=../ substring.

PriorityP276high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
11.65%
95.5th percentile
Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file reading via the web/polygon/problem/viewfile?id=1&name=../ substring.

Affected

1 ranges
VendorProductVersion rangeFixed in
jnojjiangnan_online_judge

Detection & IOCsextracted from sources · hover to see the quote

url/jnoj/web/polygon/problem/viewfile?id=1&name=../../../../../../../etc/passwd
pathweb/polygon/problem/viewfile?id=1&name=../
  • Match HTTP 200 response body containing root passwd entry pattern to confirm successful LFI exploitation
  • Look for directory traversal sequences in the 'name' query parameter of the viewfile endpoint
  • Content-Type header used in exploit request is application/x-www-form-urlencoded on a GET request — flag anomalous combinations targeting this endpoint
  • ·The Nuclei template targets the path prefixed with /jnoj/ — deployments may differ in base path; adjust the URL prefix accordingly
  • ·Detection is confirmed only against jnoj version 0.8.0; other versions are not confirmed vulnerable

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.