CVE-2020-37078 in Open Source CMDB
Summary
by MITRE • 02/04/2026
i-doit Open Source CMDB 1.14.1 contains a file deletion vulnerability in the import module that allows authenticated attackers to delete arbitrary files by manipulating the delete_import parameter. Attackers can send a POST request to the import module with a crafted filename to remove files from the server's filesystem.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/04/2026
The vulnerability identified as CVE-2020-37078 resides within the i-doit Open Source CMDB version 1.14.1, specifically within its import module functionality. This represents a critical security flaw that undermines the integrity of the system's file handling mechanisms. The issue manifests as a file deletion vulnerability that can be exploited by authenticated attackers who possess valid credentials within the system. The vulnerability stems from insufficient input validation and sanitization within the import module's parameter handling, creating a path for malicious manipulation that directly impacts the underlying filesystem.
The technical exploitation of this vulnerability occurs through a crafted POST request to the import module endpoint. Attackers manipulate the delete_import parameter to specify target filenames that should be removed from the server's filesystem. This flaw demonstrates a classic case of inadequate parameter validation where user-supplied input is directly processed without proper sanitization or authorization checks. The vulnerability operates at the application level and can be leveraged by authenticated users who have access to the import functionality, making it particularly dangerous within environments where multiple users have varying levels of system access.
The operational impact of this vulnerability extends beyond simple file deletion, potentially compromising the entire system integrity and availability. An attacker could target critical system files, configuration data, or even database files that would severely impact the CMDB's functionality and data integrity. The consequences could include complete system outages, data loss, and potential escalation to other system components through cascading failures. This vulnerability directly violates the principle of least privilege and demonstrates a failure in input validation controls that should prevent arbitrary file system modifications.
Security controls for this vulnerability should include immediate implementation of parameter validation and sanitization within the import module, ensuring that all user-supplied inputs are properly verified against allowed patterns and authorized file paths. The system should implement strict access controls and authorization checks before any file deletion operations are permitted. Additionally, input filtering mechanisms should be deployed to prevent path traversal attacks and ensure that only legitimate filenames within designated directories can be processed. Organizations should also implement comprehensive logging of file operations to detect unauthorized activities and establish proper monitoring procedures.
This vulnerability aligns with CWE-22, which describes improper limitation of a pathname to a restricted directory, and represents a specific instance of insecure direct object reference. The attack pattern follows typical exploitation techniques described in the MITRE ATT&CK framework under the T1059.007 category for command and scripting interpreter, where the attacker leverages system-level commands through the vulnerable application interface. The vulnerability demonstrates the importance of implementing defense-in-depth strategies that include proper input validation, access controls, and monitoring mechanisms to prevent unauthorized system modifications. Organizations should conduct regular security assessments to identify similar vulnerabilities in their software ecosystems and ensure proper patch management procedures are in place to address such flaws promptly.