CVE-2023-34096
Thruk has Path Traversal Vulnerability in panorama.pm
Severity Score
8.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
8
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Thruk is a multibackend monitoring webinterface which currently supports Naemon, Icinga, Shinken and Nagios as backends. In versions 3.06 and prior, the file `panorama.pm` is vulnerable to a Path Traversal vulnerability which allows an attacker to upload a file to any folder which has write permissions on the affected system. The parameter location is not filtered, validated or sanitized and it accepts any kind of characters. For a path traversal attack, the only characters required were the dot (`.`) and the slash (`/`). A fix is available in version 3.06.2.
Thruk Monitoring Web Interface versions 3.06 and below are affected by a path traversal vulnerability.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2023-05-25 CVE Reserved
- 2023-06-08 CVE Published
- 2024-08-02 CVE Updated
- 2024-08-02 First Exploit
- 2024-09-12 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
References (11)
| URL | Date | SRC |
|---|---|---|
| https://github.com/sni/Thruk/commit/26de047275c355c5ae2bbbc51b164f0f8bef5c5b | 2023-06-19 | |
| https://github.com/sni/Thruk/commit/cf03f67621b7bb20e2c768bc62b30e976206aa17 | 2023-06-19 |
| URL | Date | SRC |
|---|