CVE-2020-27304

civetweb: directory traversal when using the built-in example HTTP form-based file upload mechanism via the mg_handle_form_request API

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The CivetWeb web library does not validate uploaded filepaths when running on an OS other than Windows, when using the built-in HTTP form-based file upload mechanism, via the mg_handle_form_request API. Web applications that use the file upload form handler, and use parts of the user-controlled filename in the output path, are susceptible to directory traversal

La biblioteca web CivetWeb no comprueba las rutas de los archivos cargados cuando se ejecuta en un sistema operativo distinto de Windows, cuando es usado el mecanismo incorporado de carga de archivos basado en formularios HTTP, por medio de la API mg_handle_form_request. Las aplicaciones web que usan el manejador de formularios de carga de archivos, y usan partes del nombre de archivo controlado por el usuario en la ruta de salida, son susceptibles a un salto de directorio

A remote code execution vulnerability was found in CivetWeb (embeddable web server/library). Due to a directory traversal issue, an attacker is able to add or overwrite files that are subsequently executed which lead to impact to confidentiality, integrity, and availability of the application.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-10-19 CVE Reserved
2021-10-21 CVE Published
2024-07-06 EPSS Updated
2024-08-04 CVE Updated
2024-08-04 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-23: Relative Path Traversal

CAPEC

References (6)

URL	Tag	Source
https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf	X_refsource_confirm
https://groups.google.com/g/civetweb/c/yPBxNXdGgJQ	Mailing List

URL	Date	SRC
https://jfrog.com/blog/cve-2020-27304-rce-via-directory-traversal-in-civetweb-http-server	2024-08-04

URL	Date	SRC
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf	2022-06-14

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2020-27304	2021-12-01
https://bugzilla.redhat.com/show_bug.cgi?id=2016640	2021-12-01

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Civetweb Project Search vendor "Civetweb Project"		Civetweb Search vendor "Civetweb Project" for product "Civetweb"				>= 1.8 < 1.15 Search vendor "Civetweb Project" for product "Civetweb" and version " >= 1.8 < 1.15"		-		Affected
Siemens Search vendor "Siemens"		Sinec Infrastructure Network Services Search vendor "Siemens" for product "Sinec Infrastructure Network Services"				< 1.0.1.1 Search vendor "Siemens" for product "Sinec Infrastructure Network Services" and version " < 1.0.1.1"		-		Affected