Platform
linux
Component
gatemanager
Fixed in
9.2c
CVE-2020-29026 describes a critical directory traversal vulnerability within the file upload functionality of GateManager. This flaw allows an authenticated attacker, possessing administrative privileges, to arbitrarily read and write files on the underlying Linux file system. The vulnerability affects all versions of GateManager prior to 9.2c, and a fix is available in version 9.2c.
The directory traversal vulnerability in GateManager poses a significant risk. An attacker who can authenticate as an administrator can leverage this flaw to read sensitive configuration files, source code, or even system binaries. More critically, they can write arbitrary files, potentially overwriting critical system files, installing malware, or creating backdoor accounts. This could lead to complete system compromise and data exfiltration. The ability to write files allows for persistent access and control, making this a high-impact vulnerability. Successful exploitation could mirror the impact of other file upload vulnerabilities where attackers have gained root access by overwriting system binaries.
CVE-2020-29026 was publicly disclosed on February 15, 2021. There is no indication of this vulnerability being actively exploited in the wild, nor is it listed on the CISA KEV catalog. Public proof-of-concept exploits are available, demonstrating the ease of exploitation given administrative access. The CVSS score of 9.0 (Critical) reflects the high potential impact and relatively low complexity of exploitation.
Exploit Status
EPSS
0.34% (57% percentile)
CVSS Vector
The primary mitigation for CVE-2020-29026 is to immediately upgrade GateManager to version 9.2c or later. If an upgrade is not immediately feasible due to compatibility concerns or testing requirements, consider implementing strict file upload validation and sanitization on the server-side. Restrict the upload directory to a limited, controlled location. Implement a Web Application Firewall (WAF) with rules to block requests containing directory traversal sequences (e.g., ../). Monitor file system activity for unexpected file modifications or creations, particularly within sensitive directories. After upgrading, confirm the fix by attempting a file upload with a path traversal payload and verifying that the upload fails with an appropriate error.
Update GateManager to version 9.2c or later. This update fixes the directory traversal vulnerability in the file upload function.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-29026 is a critical directory traversal vulnerability in GateManager versions prior to 9.2c, allowing authenticated admins to read/write arbitrary files.
Yes, if you are running GateManager version 9.2c or earlier, you are vulnerable to this directory traversal flaw.
Upgrade GateManager to version 9.2c or later. Implement file upload validation and WAF rules as a temporary workaround.
There is no confirmed evidence of active exploitation, but public proof-of-concept exploits exist.
Refer to the GateManager security advisories on their official website for detailed information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.