cbcvebase.
CVE-2020-35580
published 2021-05-20

CVE-2020-35580: A local file inclusion vulnerability in the FileServlet in all SearchBlox before 9.2.2 allows remote, unauthenticated users to read arbitrary files from the…

PriorityP178high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
13.98%
96.1th percentile
A local file inclusion vulnerability in the FileServlet in all SearchBlox before 9.2.2 allows remote, unauthenticated users to read arbitrary files from the operating system via a /searchblox/servlet/FileServlet?col=url= request. Additionally, this may be used to read the contents of the SearchBlox configuration file (e.g., searchblox/WEB-INF/config.xml), which contains both the Super Admin's API key and the base64 encoded SHA1 password hashes of other SearchBlox users.

Affected

1 ranges
VendorProductVersion rangeFixed in
searchbloxsearchblox< 9.2.29.2.2

Detection & IOCsextracted from sources · hover to see the quote

url/searchblox/servlet/FileServlet?col=url=
path/searchblox/servlet/FileServlet?col=9&url=/etc/passwd
pathsearchblox/WEB-INF/config.xml
  • Detect LFI exploitation attempts targeting the SearchBlox FileServlet by monitoring GET requests to the path /searchblox/servlet/FileServlet with a 'url=' parameter, especially those referencing sensitive OS files like /etc/passwd or config paths like WEB-INF/config.xml.
  • A successful exploitation response body will contain the Unix passwd file pattern 'root:.*:0:0:' — use this regex to detect successful LFI data exfiltration in HTTP response bodies.
  • Monitor for unauthenticated access to searchblox/WEB-INF/config.xml via the FileServlet, as this file contains the Super Admin API key and base64-encoded SHA1 password hashes of all SearchBlox users.
  • ·The vulnerability affects all SearchBlox versions before 9.2.2. The LFI is exploitable without authentication, meaning no session cookie or API key is required to trigger the issue.
  • ·Successful exploitation of this LFI can yield the Super Admin API key and base64-encoded SHA1 hashes of all user passwords from config.xml, enabling further account compromise beyond file disclosure.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.