CVE-2021-40875
published 2021-09-22CVE-2021-40875: Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on…
PriorityP181high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
48.42%
98.7th percentile
Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure of hardcoded credentials, API keys, or other sensitive data.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gurock | testrail | < 7.2.0.3014 | 7.2.0.3014 |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
HTTP GET request to path matching /files.md5 or /testrail/files.md5 returning HTTP 200 with body containing 'app/arguments/admin'
- →Shodan/FOFA queries can identify exposed TestRail instances: search for http.html:"TestRail", http.html:"testrail", or body="testrail". ↗
- →After retrieving files.md5, attackers enumerate each listed file path via HTTP; filter for responses that do NOT contain 'No direct script' or 'Directory Listing Denied' to identify accessible sensitive files. ↗
- →The exploit targets non-web-asset file types (excluding .php, .html, .js, .svg, .gif, .png, .css, .exe); monitor for bulk GET requests to unusual file paths on TestRail servers. ↗
- →Successful exploitation results in disclosure of SQL database insert statements containing unique server-specific information; monitor for unexpected access to database-related files. ↗
- ·Gurock TestRail returns HTTP 200 even for access-denied responses, printing the error in plaintext body rather than using HTTP error codes — HTTP status code alone is insufficient for detection; body content must also be inspected. ↗
- ·The Nuclei template caps response body reading at 1000 bytes (max-size: 1000), meaning detection rules should account for partial response matching. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fmj6-gcwc-6452: Improper Access Control in Gurock TestRail versions < 7
ghsa_unreviewed·2022-05-24
CVE-2021-40875 [HIGH] CWE-863 GHSA-fmj6-gcwc-6452: Improper Access Control in Gurock TestRail versions < 7
Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure of hardcoded credentials, API keys, or other sensitive data.
VulnCheck
gurock testrail Direct Request ('Forced Browsing')
vulncheck·2021·CVSS 7.5
CVE-2021-40875 [HIGH] gurock testrail Direct Request ('Forced Browsing')
gurock testrail Direct Request ('Forced Browsing')
Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure of hardcoded credentials, API keys, or other sensitive data.
Affected: gurock testrail
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-08-18&host_type=src&
No detection rules found.
Exploit-DB
Gurock Testrail 7.2.0.3014 - 'files.md5' Improper Access Control
exploitdb·2021-09-23·CVSS 7.5
CVE-2021-40875 [HIGH] Gurock Testrail 7.2.0.3014 - 'files.md5' Improper Access Control
Gurock Testrail 7.2.0.3014 - 'files.md5' Improper Access Control
---
# Exploit Title: Gurock Testrail 7.2.0.3014 - 'files.md5' Improper Access Control
# Date: 22/09/2022
# Exploit Author: Sick Codes & JohnJHacking (Sakura Samuraii)
# Vendor Homepage: https://www.gurock.com/testrail/
# Version: 7.2.0.3014 and below
# Tested on: macOS, Linux, Windows
# CVE : CVE-2021-40875
# Reference: https://johnjhacking.com/blog/cve-2021-40875/
CVE-2021-40875: Improper Access Control in Gurock TestRail versions ./files.md5
while read -r HASH SUFFIX; do
echo "${SUFFIX}"
TESTING_URL="${TARGET}/${SUFFIX}"
echo "========= ${TESTING_URL} ========="
# Ignore list, some of these files MAY be world readable,
# if the organisation has modified permissions related
# to the below files otherwise, they are ignor
Nuclei
Gurock TestRail Application files.md5 Exposure
nuclei·CVSS 7.5
CVE-2021-40875 [HIGH] Gurock TestRail Application files.md5 Exposure
Gurock TestRail Application files.md5 Exposure
Improper access control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths which can then be tested, and in some cases result in the disclosure of hardcoded credentials, API keys, or other sensitive data.
Template:
id: CVE-2021-40875
info:
name: Gurock TestRail Application files.md5 Exposure
author: oscarintherocks
severity: high
description: Improper access control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail
No writeups or analysis indexed.
http://packetstormsecurity.com/files/164270/Gurock-Testrail-7.2.0.3014-Improper-Access-Control.htmlhttps://github.com/SakuraSamuraii/derailedhttps://johnjhacking.com/blog/cve-2021-40875/https://www.gurock.com/testrail/tour/enterprise-editionhttp://packetstormsecurity.com/files/164270/Gurock-Testrail-7.2.0.3014-Improper-Access-Control.htmlhttps://github.com/SakuraSamuraii/derailedhttps://johnjhacking.com/blog/cve-2021-40875/https://www.gurock.com/testrail/tour/enterprise-edition
2021-09-22
Published
Exploited in the wild