CVE-2023-47211
published 2024-01-08CVE-2023-47211: A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to…
PriorityP272high8.6CVSS 3.1
AVNACLPRNUINSCCNIHAN
EXPLOIT
EPSS
47.02%
98.7th percentile
A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | >= 0 < 4.4.0-269.303 | 4.4.0-269.303 |
| manageengine | opmanager | — | — |
| zohocorp | manageengine_firewall_analyzer | < 12.7 | 12.7 |
| zohocorp | manageengine_firewall_analyzer | — | — |
| zohocorp | manageengine_netflow_analyzer | < 12.7 | 12.7 |
| zohocorp | manageengine_netflow_analyzer | — | — |
| zohocorp | manageengine_network_configuration_manager | < 12.7 | 12.7 |
| zohocorp | manageengine_network_configuration_manager | — | — |
| zohocorp | manageengine_opmanager | < 12.7 | 12.7 |
| zohocorp | manageengine_opmanager | — | — |
| zohocorp | manageengine_opmanager_msp | < 12.7 | 12.7 |
| zohocorp | manageengine_opmanager_msp | — | — |
| zohocorp | manageengine_opmanager_plus | < 12.7 | 12.7 |
| zohocorp | manageengine_opmanager_plus | — | — |
| zohocorp | manageengine_oputils | < 12.7 | 12.7 |
| zohocorp | manageengine_oputils | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by matching POST requests to /client/api/json/mibbrowser/uploadMib with a multipart body containing path traversal sequences (e.g., '../') in the MIB filename or file content. ↗
- →A successful exploitation attempt returns HTTP 200 with Content-Type application/json and the body containing the string 'MIBFile with same name already exists', indicating the traversal-named file was already written. ↗
- →Monitor for the presence of the X-ZCSRF-TOKEN header with value pattern 'opmcsrftoken=<50+ char token>' in POST requests to the uploadMib endpoint, indicating an authenticated traversal attempt. ↗
- →Look for multipart/form-data uploads to OpManager where the MIB file content begins with a path traversal string such as '../images/' rather than a valid MIB module name. ↗
- →Shodan/FOFA fingerprint for exposed OpManager instances: search for HTTP title 'OpManager Plus' to identify attack surface. ↗
- ·The vulnerability is confirmed on ManageEngine OpManager version 12.7.258 specifically; other versions may or may not be affected. ↗
- ·The CSRF token (opmcsrfcookie) must be at least 50 characters long and is extracted from the Set-Cookie response header after login; detections relying on static token values will not work. ↗
CVSS provenance
nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
osv5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
linux, linux-aws, linux-kvm vulnerabilities
osv·2025-06-04·CVSS 5.5
CVE-2024-42301 linux, linux-aws, linux-kvm vulnerabilities
linux, linux-aws, linux-kvm vulnerabilities
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Block layer subsystem;
- Clock framework and drivers;
- GPU drivers;
- Parport drivers;
- Ext4 file system;
- JFFS2 file system;
- JFS file system;
- File systems infrastructure;
- Sun RPC protocol;
- USB sound devices;
(CVE-2024-42301, CVE-2024-56596, CVE-2024-56551, CVE-2023-52458,
CVE-2024-57850, CVE-2024-47701, CVE-2024-53168, CVE-2021-47211,
CVE-2024-53155, CVE-2024-26966, CVE-2021-47353)
OSV
linux-aws, linux-lts-xenial vulnerabilities
osv·2025-06-04·CVSS 5.5
CVE-2024-42301 linux-aws, linux-lts-xenial vulnerabilities
linux-aws, linux-lts-xenial vulnerabilities
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Block layer subsystem;
- Clock framework and drivers;
- GPU drivers;
- Parport drivers;
- Ext4 file system;
- JFFS2 file system;
- JFS file system;
- File systems infrastructure;
- Sun RPC protocol;
- USB sound devices;
(CVE-2024-42301, CVE-2024-53168, CVE-2024-57850, CVE-2024-47701,
CVE-2021-47211, CVE-2023-52458, CVE-2024-56551, CVE-2024-26966,
CVE-2024-53155, CVE-2024-56596, CVE-2021-47353)
OSV
linux-fips vulnerabilities
osv·2025-06-04·CVSS 5.5
CVE-2024-42301 linux-fips vulnerabilities
linux-fips vulnerabilities
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Block layer subsystem;
- Clock framework and drivers;
- GPU drivers;
- Parport drivers;
- Ext4 file system;
- JFFS2 file system;
- JFS file system;
- File systems infrastructure;
- Sun RPC protocol;
- USB sound devices;
(CVE-2024-42301, CVE-2024-26966, CVE-2023-52458, CVE-2024-47701,
CVE-2024-53155, CVE-2021-47211, CVE-2024-57850, CVE-2024-56551,
CVE-2021-47353, CVE-2024-56596, CVE-2024-53168)
GHSA
GHSA-85h3-wq5q-6x6j: A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12
ghsa_unreviewed·2024-01-08
CVE-2023-47211 [CRITICAL] CWE-22 GHSA-85h3-wq5q-6x6j: A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12
A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability.
No detection rules found.
Nuclei
ManageEngine OpManager - Directory Traversal
nuclei·CVSS 8.6
CVE-2023-47211 [HIGH] ManageEngine OpManager - Directory Traversal
ManageEngine OpManager - Directory Traversal
A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability.
Template:
id: CVE-2023-47211
info:
name: ManageEngine OpManager - Directory Traversal
author: gy741
severity: high
description: |
A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability.
impact: |
Unauthenticated attackers can write arbitrary files to the system via path traversal, potentially creatin
Talos
Critical vulnerability in ManageEngine could lead to file creation, dozens of other vulnerabilities disclosed by Talos to start 2024
blogs_talos·2024-01-17·CVSS 9.1
[CRITICAL] Critical vulnerability in ManageEngine could lead to file creation, dozens of other vulnerabilities disclosed by Talos to start 2024
## Critical vulnerability in ManageEngine could lead to file creation, dozens of other vulnerabilities disclosed by Talos to start 2024
Cisco Talos’ Vulnerability Research team has disclosed dozens of vulnerabilities over the past month, including more than 30 advisories in GTKWave and a critical vulnerability in ManageEngine OpManager.
Cisco ASIG also recently discovered an information disclosure vulnerability in DuoUniversalKeycloakAuthenticator, an authentication solution for Keycloak, an open-source identity and access management solution.
There are also multiple vulnerabilities in AVideo, an open-source video broadcasting suite, that could lead to arbitrary code execution.
All the vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adh
Talos
Critical vulnerability in ManageEngine could lead to file creation, dozens of other vulnerabilities disclosed by Talos to start 2024
blogs_talos·2024-01-17·CVSS 9.1
[CRITICAL] Critical vulnerability in ManageEngine could lead to file creation, dozens of other vulnerabilities disclosed by Talos to start 2024
Cisco Talos’ Vulnerability Research team has disclosed dozens of vulnerabilities over the past month, including more than 30 advisories in GTKWave and a critical vulnerability in ManageEngine OpManager.
Cisco ASIG also recently discovered an information disclosure vulnerability in DuoUniversalKeycloakAuthenticator, an authentication solution for Keycloak, an open-source identity and access management solution.
There are also multiple vulnerabilities in AVideo, an open-source video broadcasting suite, that could lead to arbitrary code execution.
All the vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.
For Snort coverage that can detect the exploitation of these vulnerabilit
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1851https://www.manageengine.com/itom/advisory/cve-2023-47211.htmlhttps://talosintelligence.com/vulnerability_reports/TALOS-2023-1851https://www.manageengine.com/itom/advisory/cve-2023-47211.htmlhttps://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1851
2024-01-08
Published