cbcvebase.
CVE-2024-41628
published 2024-07-26

CVE-2024-41628: Directory Traversal vulnerability in Severalnines Cluster Control 1.9.8 before 1.9.8-9778, 2.0.0 before 2.0.0-9779, and 2.1.0 before 2.1.0-9780 allows a remote…

PriorityP261high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
6.46%
92.9th percentile
Directory Traversal vulnerability in Severalnines Cluster Control 1.9.8 before 1.9.8-9778, 2.0.0 before 2.0.0-9779, and 2.1.0 before 2.1.0-9780 allows a remote attacker to include and display file content in an HTTP request via the CMON API.

Detection & IOCsextracted from sources · hover to see the quote

urlGET /../../../../../../../../..//etc/passwd HTTP/1.1
path/../../../../../../../../..//etc/passwd
othericon_hash="160707013" || icon_hash="-1815707560"
  • Fingerprint the target by checking the HTTP response body for both 'ClusterControl' and 'CMON_API' strings with content-type text/html and HTTP 200 status before attempting exploitation.
  • The directory traversal payload uses a double leading slash in the traversal path (//etc/passwd) combined with multiple ../ sequences; monitor HTTP GET requests to the CMON API endpoint matching this pattern.
  • Successful exploitation returns /etc/passwd content in the HTTP response body; detect by matching the regex 'root:.*:0:0:' in responses from ClusterControl hosts.
  • Use FOFA icon hash queries to identify exposed ClusterControl instances: icon_hash="160707013" or icon_hash="-1815707560".
  • The vulnerability is unauthenticated (PR:N) and network-reachable (AV:N); no authentication headers are required in the traversal request.
  • ·Affected versions are 1.9.8 before 1.9.8-9778, 2.0.0 before 2.0.0-9779, and 2.1.0 before 2.1.0-9780; the traversal path and detection regex are only validated against these builds.
  • ·The Nuclei template uses a two-step flow: step 1 fingerprints the host (internal matcher), step 2 fires the traversal payload — single-step detections without fingerprinting may produce false positives.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.