cbcvebase.
CVE-2022-27043
published 2022-04-15

CVE-2022-27043: Yearning versions 2.3.1 and 2.3.2 Interstellar GA and 2.3.4 - 2.3.6 Neptune is vulnerable to Directory Traversal.

PriorityP357high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
6.02%
92.4th percentile
Yearning versions 2.3.1 and 2.3.2 Interstellar GA and 2.3.4 - 2.3.6 Neptune is vulnerable to Directory Traversal.

Affected

3 ranges
VendorProductVersion rangeFixed in
yearningyearning
yearningyearning
yearningyearning2.3.4 – 2.3.6

Detection & IOCsextracted from sources · hover to see the quote

url/front//%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd
url/front//%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/windows/win.ini
path/front/
  • Match HTTP GET requests to the /front/ endpoint containing URL-encoded backslash traversal sequences (%5c..%5c) in the path, with a 200 response, Content-Type of text/plain, and body matching 'root:.*:0:0:' (Linux) or both '[fonts]' and 'for 16-bit app support' (Windows).
  • The traversal payload uses a double-slash followed by URL-encoded backslashes (//%5c..%5c) at the /front/ endpoint — detect this specific pattern in HTTP access logs or WAF telemetry as an exploitation indicator.
  • The vulnerability is unauthenticated (PR:N, UI:N); no session token or credentials are required. Monitor for directory traversal attempts against Yearning instances identifiable via FOFA query app="Yearning".
  • ·Affected versions are specifically Yearning 2.3.1, 2.3.2 (Interstellar GA), and 2.3.4–2.3.6 (Neptune). Detection rules should be scoped to these versions to reduce false positives.
  • ·The Nuclei template uses stop-at-first-match across two payloads (Linux /etc/passwd and Windows win.ini), meaning only one request will be sent per target. Detection logic should account for both OS variants.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.