Plataforma
java
Componente
goobi-viewer-core
Corrigido em
4.8.4
CVE-2020-15124 describes a path traversal vulnerability affecting Goobi Viewer Core versions up to 4.8.3. This flaw allows remote attackers to potentially access files on the server where the application is running. Successful exploitation could lead to the disclosure of sensitive data, depending on the permissions of the application server user. The vulnerability has been addressed with a fix released in version 4.8.3.
The path traversal vulnerability in Goobi Viewer Core allows an attacker to manipulate file paths within the application, bypassing intended access controls. By crafting malicious requests, an attacker can potentially read files located outside of the intended web root directory. The scope of access is limited to files accessible by the application server user (e.g., Tomcat), but this could still include configuration files, database credentials, or other sensitive information. While not directly leading to remote code execution, the disclosure of such data could be leveraged for further attacks, such as privilege escalation or data breaches.
CVE-2020-15124 was publicly disclosed on July 22, 2020. There is no indication of active exploitation campaigns targeting this vulnerability at this time. No public proof-of-concept (PoC) code has been widely released, but the nature of path traversal vulnerabilities makes it relatively straightforward to develop an exploit. This CVE is not currently listed on the CISA KEV catalog.
Organizations utilizing Goobi Viewer Core in production environments, particularly those with sensitive data stored on the server, are at risk. Shared hosting environments where multiple users share the same server instance are also particularly vulnerable, as a compromised Goobi Viewer Core instance could potentially expose data belonging to other users.
• java / server:
find /var/lib/tomcat/webapps/goobi-viewer-core/ -name "*.properties"• generic web:
curl -I 'http://your-goobi-viewer-core-url/../../../../etc/passwd' # Check for file disclosuredisclosure
Status do Exploit
EPSS
0.19% (percentil 40%)
Vetor CVSS
The primary mitigation for CVE-2020-15124 is to immediately upgrade Goobi Viewer Core to version 4.8.3 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting file access permissions for the application server user to the absolute minimum required. Additionally, configure a Web Application Firewall (WAF) to filter requests containing suspicious path traversal patterns (e.g., '../'). Regularly review application logs for any unusual file access attempts. After upgrading, confirm the fix by attempting a path traversal attack and verifying that access is denied.
Atualize Goobi Viewer Core para a versão 4.8.3 ou superior. Esta versão contém a correção para a vulnerabilidade de travessia de caminho. A atualização pode ser realizada baixando a nova versão do site do fornecedor e instalando-a de acordo com as instruções fornecidas.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2020-15124 is a critical vulnerability in Goobi Viewer Core versions 4.8.3 and earlier, allowing attackers to access files on the server through path manipulation.
If you are running Goobi Viewer Core version 4.8.3 or earlier, you are affected by this vulnerability and should upgrade immediately.
Upgrade Goobi Viewer Core to version 4.8.3 or later. As a temporary measure, restrict file access permissions and configure a WAF.
There is currently no evidence of active exploitation, but the vulnerability's nature makes it easily exploitable.
Refer to the Goobi Viewer Core documentation and release notes for details on the fix and any related advisories.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo pom.xml e descubra na hora se você está afetado.