Plattform
java
Komponente
goobi-viewer-core
Behoben in
4.8.4
CVE-2020-15124 describes a path traversal vulnerability affecting Goobi Viewer Core versions up to 4.8.3. This flaw allows remote attackers to potentially access files on the server where the application is running. Successful exploitation could lead to the disclosure of sensitive data, depending on the permissions of the application server user. The vulnerability has been addressed with a fix released in version 4.8.3.
The path traversal vulnerability in Goobi Viewer Core allows an attacker to manipulate file paths within the application, bypassing intended access controls. By crafting malicious requests, an attacker can navigate the file system and retrieve files that the application server user has permissions to access. This could include configuration files, source code, or other sensitive data. While the attacker's access is limited to the server user's permissions, this can still lead to significant data breaches and compromise system integrity. The potential for data exfiltration is high, especially if the server user has access to sensitive directories.
CVE-2020-15124 was publicly disclosed on July 22, 2020. While no active exploitation campaigns have been definitively linked to this vulnerability, the critical severity and ease of exploitation make it a potential target. There are currently no known public proof-of-concept exploits, but the vulnerability's nature suggests that one could be developed relatively easily. It is recommended to prioritize patching to reduce the attack surface.
Organizations utilizing Goobi Viewer Core in production environments, particularly those with sensitive data stored on the server, are at risk. Shared hosting environments where multiple users share the same server instance are also particularly vulnerable, as a compromised Goobi Viewer Core instance could potentially expose data belonging to other users.
• java / server:
find /var/lib/tomcat/webapps/goobi-viewer-core/ -name "*.properties"• generic web:
curl -I 'http://your-goobi-viewer-core-url/../../../../etc/passwd' # Check for file disclosuredisclosure
Exploit-Status
EPSS
0.19% (40% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2020-15124 is to immediately upgrade Goobi Viewer Core to version 4.8.3 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting file access permissions for the application server user to only the necessary directories. Implementing a Web Application Firewall (WAF) with path traversal detection rules can also help to block malicious requests. Regularly review application logs for suspicious file access attempts.
Actualice Goobi Viewer Core a la versión 4.8.3 o superior. Esta versión contiene la corrección para la vulnerabilidad de path traversal. La actualización se puede realizar descargando la nueva versión desde el sitio web del proveedor e instalándola según las instrucciones proporcionadas.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2020-15124 is a critical vulnerability in Goobi Viewer Core versions 4.8.3 and earlier, allowing attackers to access files on the server through path manipulation.
If you are running Goobi Viewer Core version 4.8.3 or earlier, you are affected by this vulnerability and should upgrade immediately.
Upgrade Goobi Viewer Core to version 4.8.3 or later. As a temporary measure, restrict file access permissions and configure a WAF.
There is currently no evidence of active exploitation, but the vulnerability's nature makes it easily exploitable.
Refer to the Goobi Viewer Core documentation and release notes for details on the fix and any related advisories.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.