CVE-2017-10974 in Web Server
Summary
by MITRE
Yaws 1.91 allows Unauthenticated Remote File Disclosure via HTTP Directory Traversal with /%5C../ to port 8080.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/29/2025
The vulnerability identified as CVE-2017-10974 affects Yaws web server version 1.91 and represents a critical directory traversal flaw that enables unauthenticated remote attackers to access arbitrary files on the target system. This vulnerability specifically manifests through HTTP requests directed at port 8080 and leverages the encoded backslash sequence %5C../ to bypass directory restrictions and disclose sensitive files. The flaw stems from inadequate input validation and path sanitization within the web server's file handling mechanisms, allowing attackers to navigate beyond the intended document root directory.
The technical implementation of this vulnerability exploits the way Yaws processes file paths in HTTP requests, particularly when handling directory traversal sequences. The %5C../ payload represents a URL-encoded representation of a backslash followed by directory traversal components, which when processed by the vulnerable server can result in unauthorized file access. This type of vulnerability falls under CWE-22, which specifically addresses Improper Limitation of a Pathname to a Restricted Directory, commonly known as Path Traversal. The attack vector does not require authentication credentials, making it particularly dangerous as any remote user can exploit this flaw without prior access to the system.
The operational impact of CVE-2017-10974 extends beyond simple file disclosure, potentially exposing sensitive system information such as configuration files, source code, database credentials, and other confidential data that may reside within the web server's directory structure. Attackers could leverage this vulnerability to gain insights into the system's architecture, identify additional attack surfaces, and potentially escalate privileges or launch further attacks. The exposure of source code files could reveal implementation details that aid in developing more sophisticated exploits. Additionally, the disclosure of configuration files might contain database connection strings, API keys, or other sensitive credentials that could be used for lateral movement within the network infrastructure.
From a threat modeling perspective, this vulnerability aligns with ATT&CK technique T1213.002 which covers Data from Databases, and T1083 which involves File and Directory Discovery. The vulnerability demonstrates how insufficient input validation can create pathways for attackers to access restricted resources, representing a fundamental flaw in the principle of least privilege. Organizations running Yaws 1.91 on port 8080 are at risk of unauthorized data access, potential data exfiltration, and information disclosure that could compromise the confidentiality and integrity of their systems. The vulnerability's exploitation is straightforward and requires no specialized tools beyond standard HTTP clients, making it accessible to attackers of varying skill levels.
Mitigation strategies for CVE-2017-10974 should focus on immediate patching of the Yaws web server to version 1.92 or later, which contains the necessary fixes for the directory traversal vulnerability. Organizations should also implement network segmentation to restrict access to port 8080, deploy web application firewalls to detect and block malicious path traversal attempts, and conduct regular security assessments to identify similar vulnerabilities in other web applications. Input validation mechanisms should be strengthened to reject or sanitize directory traversal sequences, and access controls should be implemented to limit the exposure of sensitive files. The remediation process should include thorough testing to ensure that the patch does not introduce compatibility issues with existing web applications while maintaining the security posture against similar traversal attacks.