CVE-2020-19360
published 2021-01-20CVE-2020-19360: Local file inclusion in FHEM 6.0 allows in fhem/FileLog_logWrapper file parameter can allow an attacker to include a file, which can lead to sensitive…
PriorityP260high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
20.22%
97.1th percentile
Local file inclusion in FHEM 6.0 allows in fhem/FileLog_logWrapper file parameter can allow an attacker to include a file, which can lead to sensitive information disclosure.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fasterxml | jackson-databind | >= 0 < 2.4.2-3ubuntu0.1~esm2 | 2.4.2-3ubuntu0.1~esm2 |
| fhem | fhem | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Send a GET request to /fhem/FileLog_logWrapper with parameters dev=Logfile, file=%2fetc%2fpasswd, and type=text; a successful LFI response will return HTTP 200 and contain the regex pattern 'root:[x*]:0:0' in the body.
- →The exploitable parameter is 'file' in the FileLog_logWrapper endpoint; path traversal via URL-encoded slashes (%2f) is used to reach /etc/passwd.
- ·The Nuclei template targets FHEM version 6.0 specifically; other versions may or may not be vulnerable. ↗
- ·The vulnerability is unauthenticated (PR:N, UI:N), meaning no credentials are required to exploit the LFI endpoint.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-58vv-fhph-5w6g: Local file inclusion in FHEM 6
ghsa_unreviewed·2022-05-24
CVE-2020-19360 [HIGH] CWE-200 GHSA-58vv-fhph-5w6g: Local file inclusion in FHEM 6
Local file inclusion in FHEM 6.0 allows in fhem/FileLog_logWrapper file parameter can allow an attacker to include a file, which can lead to sensitive information disclosure.
OSV
jackson-databind vulnerabilities
osv·2021-03-15·CVSS 9.8
CVE-2018-11307 jackson-databind vulnerabilities
jackson-databind vulnerabilities
It was discovered that Jackson Databind incorrectly handled
deserialization. An attacker could possibly use this issue to obtain
sensitive information. (CVE-2018-11307, CVE-2019-12086, CVE-2019-12814)
It was discovered that Jackson Databind incorrectly handled
deserialization. An attacker could possibly use this issue to execute
arbitrary code or other unspecified impact. (CVE-2018-12022,
CVE-2018-12023, CVE-2018-14718, CVE-2018-14719, CVE-2018-19360,
CVE-2018-19361, CVE-2018-19362, CVE-2019-12384, CVE-2019-14379,
CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942,
CVE-2019-16943, CVE-2019-17267, CVE-2019-17531, CVE-2019-20330,
CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969,
CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2
No detection rules found.
Nuclei
FHEM 6.0 - Local File Inclusion
nuclei·CVSS 7.5
CVE-2020-19360 [HIGH] FHEM 6.0 - Local File Inclusion
FHEM 6.0 - Local File Inclusion
FHEM version 6.0 suffers from a local file inclusion vulnerability.
Template:
id: CVE-2020-19360
info:
name: FHEM 6.0 - Local File Inclusion
author: 0x_Akoko
severity: high
description: FHEM version 6.0 suffers from a local file inclusion vulnerability.
impact: |
Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the target system.
remediation: |
Apply the latest patch or upgrade to a version that is not affected by the vulnerability.
reference:
- https://github.com/EmreOvunc/FHEM-6.0-Local-File-Inclusion-LFI-Vulnerability/blob/master/README.md
- https://github.com/EmreOvunc/FHEM-6.0-Local-File-Inclusion-LFI-Vulnerability
- https://emreovunc.com/blog/en/FHEM-v6.0-LFI-Vulnerability-01.png
- https://nvd.nist.go
2021-01-20
Published