CVE-2019-17538
published 2019-10-13CVE-2019-17538: Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file reading via the web/polygon/problem/viewfile?id=1&name=../ substring.
PriorityP276high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
11.65%
95.5th percentile
Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file reading via the web/polygon/problem/viewfile?id=1&name=../ substring.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jnoj | jiangnan_online_judge | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Match HTTP 200 response body containing root passwd entry pattern to confirm successful LFI exploitation ↗
- →Look for directory traversal sequences in the 'name' query parameter of the viewfile endpoint ↗
- →Content-Type header used in exploit request is application/x-www-form-urlencoded on a GET request — flag anomalous combinations targeting this endpoint ↗
- ·The Nuclei template targets the path prefixed with /jnoj/ — deployments may differ in base path; adjust the URL prefix accordingly ↗
- ·Detection is confirmed only against jnoj version 0.8.0; other versions are not confirmed vulnerable ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7pw9-r7cw-g3f6: Jiangnan Online Judge (aka jnoj) 0
ghsa_unreviewed·2022-05-24
CVE-2019-17538 [HIGH] CWE-22 GHSA-7pw9-r7cw-g3f6: Jiangnan Online Judge (aka jnoj) 0
Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file reading via the web/polygon/problem/viewfile?id=1&name=../ substring.
VulnCheck
jnoj jiangnan_online_judge Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2019·CVSS 7.5
CVE-2019-17538 [HIGH] jnoj jiangnan_online_judge Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
jnoj jiangnan_online_judge Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file reading via the web/polygon/problem/viewfile?id=1&name=../ substring.
Affected: jnoj jiangnan_online_judge
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2019-17538
No detection rules found.
Nuclei
Jiangnan Online Judge 0.8.0 - Local File Inclusion
nuclei·CVSS 7.5
CVE-2019-17538 [HIGH] Jiangnan Online Judge 0.8.0 - Local File Inclusion
Jiangnan Online Judge 0.8.0 - Local File Inclusion
Jiangnan Online Judge (aka jnoj) 0.8.0 is susceptible to local file inclusion via web/polygon/problem/viewfile?id=1&name=../.
Template:
id: CVE-2019-17538
info:
name: Jiangnan Online Judge 0.8.0 - Local File Inclusion
author: pussycat0x
severity: high
description: |
Jiangnan Online Judge (aka jnoj) 0.8.0 is susceptible to local file inclusion via web/polygon/problem/viewfile?id=1&name=../.
impact: |
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information, including system files and credentials.
remediation: |
Upgrade Jiangnan Online Judge to a patched version or apply the necessary security patches to fix the Local File Inclusion vulnerability.
reference:
- https://github.com/shi-yang/jnoj
2019-10-13
Published
Exploited in the wild