Plateforme
java
Composant
goobi-viewer-core
Corrigé dans
4.8.4
CVE-2020-15124 describes a path traversal vulnerability affecting Goobi Viewer Core versions up to 4.8.3. This flaw allows remote attackers to potentially access files on the server where the application is running. Successful exploitation could lead to the disclosure of sensitive data, depending on the permissions of the application server user. The vulnerability has been addressed with a fix released in version 4.8.3.
The path traversal vulnerability in Goobi Viewer Core allows an attacker to manipulate file paths within the application, bypassing intended access controls. By crafting malicious requests, an attacker can potentially read files located outside of the intended web root directory. The scope of access is limited to files accessible by the application server user (e.g., Tomcat), but this could still include configuration files, database credentials, or other sensitive information. While not directly leading to remote code execution, the disclosure of such data could be leveraged for further attacks, such as privilege escalation or data breaches.
CVE-2020-15124 was publicly disclosed on July 22, 2020. There is no indication of active exploitation campaigns targeting this vulnerability at this time. No public proof-of-concept (PoC) code has been widely released, but the nature of path traversal vulnerabilities makes it relatively straightforward to develop an exploit. This CVE is not currently listed on the CISA KEV catalog.
Organizations utilizing Goobi Viewer Core in production environments, particularly those with sensitive data stored on the server, are at risk. Shared hosting environments where multiple users share the same server instance are also particularly vulnerable, as a compromised Goobi Viewer Core instance could potentially expose data belonging to other users.
• java / server:
find /var/lib/tomcat/webapps/goobi-viewer-core/ -name "*.properties"• generic web:
curl -I 'http://your-goobi-viewer-core-url/../../../../etc/passwd' # Check for file disclosuredisclosure
Statut de l'Exploit
EPSS
0.19% (percentile 40%)
Vecteur CVSS
The primary mitigation for CVE-2020-15124 is to immediately upgrade Goobi Viewer Core to version 4.8.3 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting file access permissions for the application server user to the absolute minimum required. Additionally, configure a Web Application Firewall (WAF) to filter requests containing suspicious path traversal patterns (e.g., '../'). Regularly review application logs for any unusual file access attempts. After upgrading, confirm the fix by attempting a path traversal attack and verifying that access is denied.
Mettez à jour Goobi Viewer Core à la version 4.8.3 ou supérieure. Cette version contient la correction pour la vulnérabilité de traversée de chemin. La mise à jour peut être effectuée en téléchargeant la nouvelle version depuis le site web du fournisseur et en l'installant selon les instructions fournies.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2020-15124 is a critical vulnerability in Goobi Viewer Core versions 4.8.3 and earlier, allowing attackers to access files on the server through path manipulation.
If you are running Goobi Viewer Core version 4.8.3 or earlier, you are affected by this vulnerability and should upgrade immediately.
Upgrade Goobi Viewer Core to version 4.8.3 or later. As a temporary measure, restrict file access permissions and configure a WAF.
There is currently no evidence of active exploitation, but the vulnerability's nature makes it easily exploitable.
Refer to the Goobi Viewer Core documentation and release notes for details on the fix and any related advisories.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier pom.xml et nous te dirons instantanément si tu es affecté.