cbcvebase.
CVE-2021-40875
published 2021-09-22

CVE-2021-40875: Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on…

PriorityP181high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
48.42%
98.7th percentile
Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure of hardcoded credentials, API keys, or other sensitive data.

Affected

1 ranges
VendorProductVersion rangeFixed in
gurocktestrail< 7.2.0.30147.2.0.3014

Detection & IOCsextracted from sources · hover to see the quote

path/files.md5
path/testrail/files.md5
otherapp/arguments/admin
sigma
HTTP GET request to path matching /files.md5 or /testrail/files.md5 returning HTTP 200 with body containing 'app/arguments/admin'
  • Shodan/FOFA queries can identify exposed TestRail instances: search for http.html:"TestRail", http.html:"testrail", or body="testrail".
  • After retrieving files.md5, attackers enumerate each listed file path via HTTP; filter for responses that do NOT contain 'No direct script' or 'Directory Listing Denied' to identify accessible sensitive files.
  • The exploit targets non-web-asset file types (excluding .php, .html, .js, .svg, .gif, .png, .css, .exe); monitor for bulk GET requests to unusual file paths on TestRail servers.
  • Successful exploitation results in disclosure of SQL database insert statements containing unique server-specific information; monitor for unexpected access to database-related files.
  • ·Gurock TestRail returns HTTP 200 even for access-denied responses, printing the error in plaintext body rather than using HTTP error codes — HTTP status code alone is insufficient for detection; body content must also be inspected.
  • ·The Nuclei template caps response body reading at 1000 bytes (max-size: 1000), meaning detection rules should account for partial response matching.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.