Platform
java
Component
goobi-viewer-core
Fixed in
4.8.4
CVE-2020-15124 describes a path traversal vulnerability affecting Goobi Viewer Core versions up to 4.8.3. This flaw allows remote attackers to potentially access files on the server where the application is running. Successful exploitation could lead to the disclosure of sensitive data, depending on the permissions of the application server user. The vulnerability has been addressed with a fix released in version 4.8.3.
The path traversal vulnerability in Goobi Viewer Core allows an attacker to manipulate file paths within the application, bypassing intended access controls. By crafting malicious requests, an attacker can potentially read files located outside of the intended web root directory. The scope of access is limited to files accessible by the application server user (e.g., Tomcat), but this could still include configuration files, database credentials, or other sensitive information. While not directly leading to remote code execution, the disclosure of such data could be leveraged for further attacks, such as privilege escalation or data breaches.
CVE-2020-15124 was publicly disclosed on July 22, 2020. There is no indication of active exploitation campaigns targeting this vulnerability at this time. No public proof-of-concept (PoC) code has been widely released, but the nature of path traversal vulnerabilities makes it relatively straightforward to develop an exploit. This CVE is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.19% (40% percentile)
CVSS Vector
The primary mitigation for CVE-2020-15124 is to immediately upgrade Goobi Viewer Core to version 4.8.3 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting file access permissions for the application server user to the absolute minimum required. Additionally, configure a Web Application Firewall (WAF) to filter requests containing suspicious path traversal patterns (e.g., '../'). Regularly review application logs for any unusual file access attempts. After upgrading, confirm the fix by attempting a path traversal attack and verifying that access is denied.
Update Goobi Viewer Core to version 4.8.3 or higher. This version contains the fix for the path traversal vulnerability. The update can be performed by downloading the new version from the vendor's website and installing it according to the provided instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-15124 is a critical vulnerability in Goobi Viewer Core versions 4.8.3 and earlier, allowing attackers to access files on the server through path manipulation.
If you are running Goobi Viewer Core version 4.8.3 or earlier, you are affected by this vulnerability and should upgrade immediately.
Upgrade Goobi Viewer Core to version 4.8.3 or later. As a temporary measure, restrict file access permissions and configure a WAF.
There is currently no evidence of active exploitation, but the vulnerability's nature makes it easily exploitable.
Refer to the Goobi Viewer Core documentation and release notes for details on the fix and any related advisories.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.