CVE-2021-38146
published 2021-11-22CVE-2021-38146: The File Download API in Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to read arbitrary files via absolute path traversal in…
PriorityP264high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
11.73%
95.5th percentile
The File Download API in Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to read arbitrary files via absolute path traversal in the SearchString JSON field in /home/download POST data.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wipro | holmes | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /home/download HTTP/1.1
Content-Type: application/json
{"SearchString": "C:/Windows/Win.ini", "Msg": ""}↗
- →Detect exploitation attempts by monitoring POST requests to /home/download containing absolute paths (e.g., 'C:/' or '/etc/') in the SearchString JSON field. ↗
- →Successful exploitation of a Windows target returns Win.ini content containing the strings [fonts], [extensions], and [files] in the HTTP 200 response body. ↗
- →Identify exposed Wipro Holmes Orchestrator instances via FOFA or similar banner-scanning tools using the page title 'Wipro Holmes Orchestrator'. ↗
- ·The vulnerability is unauthenticated (no credentials required), meaning any network-accessible instance is exploitable without prior authentication. ↗
- ·The affected version is specifically 20.4.1 (build 20.4.1_02_11_2020); the fix was introduced in v21.4.0. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r23x-gq8q-5637: The File Download API in Wipro Holmes Orchestrator 20
ghsa_unreviewed·2021-11-23
CVE-2021-38146 [HIGH] CWE-22 GHSA-r23x-gq8q-5637: The File Download API in Wipro Holmes Orchestrator 20
The File Download API in Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to read arbitrary files via absolute path traversal in the SearchString JSON field in /home/download POST data.
Red Hat
kernel: Linux kernel Open vSwitch: Denial of Service via malformed MPLS packets
vendor_redhat·2025-07-03·CVSS 7.8
CVE-2025-38146 [HIGH] CWE-190 kernel: Linux kernel Open vSwitch: Denial of Service via malformed MPLS packets
kernel: Linux kernel Open vSwitch: Denial of Service via malformed MPLS packets
In the Linux kernel, the following vulnerability has been resolved:
net: openvswitch: Fix the dead loop of MPLS parse
The unexpected MPLS packet may not end with the bottom label stack.
When there are many stacks, The label count value has wrapped around.
A dead loop occurs, soft lockup/CPU stuck finally.
stack backtrace:
UBSAN: array-index-out-of-bounds in /build/linux-0Pa0xK/linux-5.15.0/net/openvswitch/flow.c:662:26
index -1 is out of range for type '__be32 [3]'
CPU: 34 PID: 0 Comm: swapper/34 Kdump: loaded Tainted: G OE 5.15.0-121-generic #131-Ubuntu
Hardware name: Dell Inc. PowerEdge C6420/0JP9TF, BIOS 2.12.2 07/14/2021
Call Trace:
show_stack+0x52/0x5c
dump_stack_lvl+0x4a/0x63
dump_stack+0x10/0x16
ubsan_
No detection rules found.
Nuclei
Wipro Holmes Orchestrator 20.4.1 - Arbitrary File Download
nuclei·CVSS 7.5
CVE-2021-38146 [HIGH] Wipro Holmes Orchestrator 20.4.1 - Arbitrary File Download
Wipro Holmes Orchestrator 20.4.1 - Arbitrary File Download
The File Download API in Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to read arbitrary files via absolute path traversal in the SearchString JSON field in /home/download POST data.
Template:
id: CVE-2021-38146
info:
name: Wipro Holmes Orchestrator 20.4.1 - Arbitrary File Download
author: s4e-io
severity: high
description: |
The File Download API in Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to read arbitrary files via absolute path traversal in the SearchString JSON field in /home/download POST data.
impact: |
Unauthenticated attackers can read arbitrary files from the server via path traversal in the SearchString parameter, potentially exposing sensitive config
2021-11-22
Published