cbcvebase.
CVE-2021-38146
published 2021-11-22

CVE-2021-38146: The File Download API in Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to read arbitrary files via absolute path traversal in…

PriorityP264high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
11.73%
95.5th percentile
The File Download API in Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to read arbitrary files via absolute path traversal in the SearchString JSON field in /home/download POST data.

Affected

1 ranges
VendorProductVersion rangeFixed in
wiproholmes

Detection & IOCsextracted from sources · hover to see the quote

url/home/download
pathC:/Windows/Win.ini
commandPOST /home/download HTTP/1.1 Content-Type: application/json {"SearchString": "C:/Windows/Win.ini", "Msg": ""}
  • Detect exploitation attempts by monitoring POST requests to /home/download containing absolute paths (e.g., 'C:/' or '/etc/') in the SearchString JSON field.
  • Successful exploitation of a Windows target returns Win.ini content containing the strings [fonts], [extensions], and [files] in the HTTP 200 response body.
  • Identify exposed Wipro Holmes Orchestrator instances via FOFA or similar banner-scanning tools using the page title 'Wipro Holmes Orchestrator'.
  • ·The vulnerability is unauthenticated (no credentials required), meaning any network-accessible instance is exploitable without prior authentication.
  • ·The affected version is specifically 20.4.1 (build 20.4.1_02_11_2020); the fix was introduced in v21.4.0.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.