CVE-2021-38146 in Holmes Orchestrator
Summary
by MITRE • 11/22/2021
The File Download API in Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to read arbitrary files via absolute path traversal in the SearchString JSON field in /home/download POST data.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 11/25/2021
The vulnerability identified as CVE-2021-38146 resides within the File Download API of Wipro Holmes Orchestrator version 20.4.1, representing a critical path traversal flaw that enables remote attackers to access arbitrary files on the underlying system. This vulnerability specifically manifests in the SearchString JSON field within the /home/download POST data endpoint, where insufficient input validation allows malicious actors to manipulate file paths and retrieve sensitive data. The flaw stems from the application's failure to properly sanitize user-supplied input before processing file operations, creating an avenue for unauthorized file access that extends beyond the intended application boundaries.
The technical implementation of this vulnerability follows a classic path traversal pattern where the SearchString parameter accepts absolute file paths without proper validation or sanitization. When an attacker submits a malicious payload containing directory traversal sequences such as ../ or ..\, the application processes these paths directly without proper authorization checks or path normalization. This allows the attacker to navigate the file system hierarchy and access files that should remain protected, including configuration files, database credentials, application source code, and other sensitive artifacts stored on the server. The vulnerability is particularly dangerous because it operates at the file system level rather than through application logic, making it difficult to detect through traditional application security controls.
From an operational impact perspective, this vulnerability creates significant security risks for organizations utilizing Wipro Holmes Orchestrator 20.4.1, as it provides attackers with the capability to extract sensitive information that could lead to further compromise. The potential data exposure includes not only application configuration files but also potential database connection strings, API keys, and other credentials that could be used for lateral movement within the network. This vulnerability directly maps to CWE-22 Path Traversal and aligns with ATT&CK technique T1074 Data Staged, as attackers can systematically gather and exfiltrate sensitive files from the compromised system. The remote nature of the exploit means that attackers do not require physical access or local system credentials to exploit this vulnerability, making it particularly dangerous in environments where the application is accessible over the network.
Organizations affected by this vulnerability should implement immediate mitigations including input validation and sanitization of all user-supplied data, particularly within the SearchString parameter. The recommended approach involves implementing strict path validation that ensures all file paths are properly normalized and restricted to predefined safe directories. Additionally, the application should enforce proper access controls and implement the principle of least privilege, ensuring that the file system operations execute with minimal required permissions. Network-level mitigations such as firewall rules restricting access to the vulnerable endpoint and implementing web application firewalls can provide additional protection layers. The vulnerability also highlights the importance of regular security assessments and patch management processes, as this flaw could have been prevented through proper input validation and secure coding practices that align with industry standards such as OWASP Top Ten and NIST Cybersecurity Framework guidelines.