Plattform
linux
Komponente
gatemanager
Behoben in
9.2c
CVE-2020-29026 describes a critical directory traversal vulnerability within the file upload functionality of GateManager. This flaw allows an authenticated attacker, possessing administrative privileges, to arbitrarily read and write files on the underlying Linux file system. The vulnerability affects all versions of GateManager prior to 9.2c, and a fix is available in version 9.2c.
The directory traversal vulnerability in GateManager poses a significant risk. An attacker who can authenticate as an administrator can leverage this flaw to read sensitive configuration files, source code, or even system binaries. More critically, they can write arbitrary files, potentially overwriting critical system files, installing malware, or creating backdoor accounts. This could lead to complete system compromise and data exfiltration. The ability to write files allows for persistent access and control, making this a high-impact vulnerability. Successful exploitation could mirror the impact of other file upload vulnerabilities where attackers have gained root access by overwriting system binaries.
CVE-2020-29026 was publicly disclosed on February 15, 2021. There is no indication of this vulnerability being actively exploited in the wild, nor is it listed on the CISA KEV catalog. Public proof-of-concept exploits are available, demonstrating the ease of exploitation given administrative access. The CVSS score of 9.0 (Critical) reflects the high potential impact and relatively low complexity of exploitation.
Organizations running GateManager version 9.2c or earlier, particularly those with Linux-based deployments, are at significant risk. Shared hosting environments where multiple users share the same GateManager instance are especially vulnerable, as a compromised user account could be leveraged to exploit this vulnerability.
• linux / server:
find /opt/gatemanager/uploads -name '*\*.' -print• linux / server:
journalctl -u gatemanager -g "directory traversal"• linux / server:
ps aux | grep gatemanagerdisclosure
Exploit-Status
EPSS
0.34% (57% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2020-29026 is to immediately upgrade GateManager to version 9.2c or later. If an upgrade is not immediately feasible due to compatibility concerns or testing requirements, consider implementing strict file upload validation and sanitization on the server-side. Restrict the upload directory to a limited, controlled location. Implement a Web Application Firewall (WAF) with rules to block requests containing directory traversal sequences (e.g., ../). Monitor file system activity for unexpected file modifications or creations, particularly within sensitive directories. After upgrading, confirm the fix by attempting a file upload with a path traversal payload and verifying that the upload fails with an appropriate error.
Actualice GateManager a la versión 9.2c o posterior. Esta actualización corrige la vulnerabilidad de recorrido de directorios en la función de carga de archivos.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2020-29026 is a critical directory traversal vulnerability in GateManager versions prior to 9.2c, allowing authenticated admins to read/write arbitrary files.
Yes, if you are running GateManager version 9.2c or earlier, you are vulnerable to this directory traversal flaw.
Upgrade GateManager to version 9.2c or later. Implement file upload validation and WAF rules as a temporary workaround.
There is no confirmed evidence of active exploitation, but public proof-of-concept exploits exist.
Refer to the GateManager security advisories on their official website for detailed information and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.