CVE-2022-38794
published 2022-08-27CVE-2022-38794: Zaver through 2020-12-15 allows directory traversal via the GET /.. substring.
PriorityP353high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
3.60%
88.0th percentile
Zaver through 2020-12-15 allows directory traversal via the GET /.. substring.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zaver_project | zaver | <= 2020-12-15 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for HTTP GET requests containing path traversal sequences (e.g., /../) targeting /etc/passwd in the request URI against Zaver HTTP server instances. ↗
- →A successful exploitation response will return HTTP 200 with a body matching the pattern 'root:[x*]:0:0', indicating /etc/passwd was served. ↗
- →The attack requires no authentication (PR:N, UI:N) and is network-accessible; any unauthenticated GET request with traversal sequences should be flagged. ↗
- ·Vulnerability is specific to Zaver versions through 2020-12-15 only; later versions or forks may not be affected. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Zaver - Local File Inclusion
nuclei·CVSS 7.5
CVE-2022-38794 [HIGH] Zaver - Local File Inclusion
Zaver - Local File Inclusion
Zaver through 2020-12-15 is vulnerable to local file inclusion via the GET /.. substring.
Template:
id: CVE-2022-38794
info:
name: Zaver - Local File Inclusion
author: pikpikcu
severity: high
description: |
Zaver through 2020-12-15 is vulnerable to local file inclusion via the GET /.. substring.
impact: |
This vulnerability can lead to unauthorized access, data leakage, and remote code execution.
remediation: |
To remediate this vulnerability, ensure that user input is properly validated and sanitized before being used in file inclusion operations.
reference:
- https://github.com/zyearn/zaver/issues/22
- https://nvd.nist.gov/vuln/detail/CVE-2022-38794
- https://github.com/ARPSyndicate/cvemon
- https://github.com/ARPSyndicate/kenzer-templates
- https://githu
No writeups or analysis indexed.
2022-08-27
Published