cbcvebase.
CVE-2020-35736
published 2020-12-27

CVE-2020-35736: GateOne 1.1 allows arbitrary file download without authentication via /downloads/.. directory traversal because os.path.join is misused.

PriorityP265high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
15.40%
96.4th percentile
GateOne 1.1 allows arbitrary file download without authentication via /downloads/.. directory traversal because os.path.join is misused.

Affected

1 ranges
VendorProductVersion rangeFixed in
liftoffsoftwaregateone

Detection & IOCsextracted from sources · hover to see the quote

url/downloads/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd
path/downloads/..
  • Match HTTP 200 response with regex pattern for /etc/passwd content to confirm successful LFI exploitation
  • Exploit requires no authentication; look for unauthenticated GET requests to /downloads/ path with URL-encoded directory traversal sequences (%2f..%2f)
  • Single HTTP GET request is sufficient to trigger the vulnerability; monitor for traversal patterns in /downloads/ endpoint
  • ·Vulnerability is specific to GateOne version 1.1; other versions may not be affected
  • ·Root cause is misuse of os.path.join in Python, which allows an absolute path component to override prior path segments when traversal sequences are injected

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.