cbcvebase.
CVE-2021-40978
published 2021-10-07

CVE-2021-40978: The mkdocs 1.2.2 built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain :sensitive information. NOTE: the…

PriorityP357high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
14.76%
96.3th percentile
The mkdocs 1.2.2 built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain :sensitive information. NOTE: the vendor has disputed this as described in https://github.com/mkdocs/mkdocs/issues/2601.] and https://github.com/nisdn/CVE-2021-40978/issues/1

Affected

3 ranges
VendorProductVersion rangeFixed in
debianpython-mkdocs
mkdocsmkdocs
mkdocsmkdocs>= 1.2.2 < 1.2.31.2.3

Detection & IOCsextracted from sources · hover to see the quote

port8000
path/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
  • Look for URL-encoded directory traversal sequences (%2e%2e) in HTTP GET requests targeting port 8000, specifically attempting to reach /etc/passwd via 7 traversal levels.
  • A successful exploitation response will return HTTP 200 with a body matching the regex 'root:[x*]:0:0:', indicating /etc/passwd content was served.
  • Exploitation requires the MKdocs dev-server to be publicly exposed; monitor for external connections to port 8000 running MKdocs 1.2.2.
  • ·The vulnerability is disputed by the vendor; exploitation requires the dev-server to be intentionally exposed publicly, which is not its intended use case.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.5HIGH
vendor_debian7.5LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.