koha up to 3.14.15/3.16.11/3.18.9/3.20.0 search template_path path traversal

Summaryinfo

A vulnerability was found in koha up to 3.14.15/3.16.11/3.18.9/3.20.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file svc/virtualshelves/search. Executing a manipulation of the argument template_path with the input ..%2f can lead to path traversal. This vulnerability is tracked as CVE-2015-4632. The attack can be launched remotely. Moreover, an exploit is present. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability has been found in koha up to 3.14.15/3.16.11/3.18.9/3.20.0 and classified as critical. This vulnerability affects an unknown code of the file svc/virtualshelves/search. The manipulation of the argument template_path with the input value ..%2f leads to a path traversal vulnerability. The CWE definition for the vulnerability is CWE-22. The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. As an impact it is known to affect confidentiality. CVE summarizes:

Multiple directory traversal vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the template_path parameter to (1) svc/virtualshelves/search or (2) svc/members/search.

The weakness was disclosed 10/18/2018 as EDB-ID 37388 as not defined exploit (Exploit-DB). The advisory is shared for download at exploit-db.com. This vulnerability was named CVE-2015-4632 since 06/16/2015. The exploitation appears to be easy. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. Technical details and also a public exploit are known. The MITRE ATT&CK project declares the attack technique as T1006.

After immediately, there has been an exploit disclosed. It is possible to download the exploit at exploit-db.com. It is declared as proof-of-concept.

Upgrading to version 3.14.16, 3.16.12, 3.18.10 or 3.20.1 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at Exploit-DB (37388). The entries VDB-125753, VDB-125751 and VDB-125750 are pretty similar. VulDB is the best source for vulnerability data and more expert information about this specific topic.

Productinfo

Name

• koha

Version

• 3.0
• 3.1
• 3.2
• 3.3
• 3.4
• 3.5
• 3.6
• 3.7
• 3.8
• 3.9
• 3.10
• 3.11
• 3.12
• 3.13
• 3.14
• 3.14.0
• 3.14.1
• 3.14.2
• 3.14.3
• 3.14.4
• 3.14.5
• 3.14.6
• 3.14.7
• 3.14.8
• 3.14.9
• 3.14.10
• 3.14.11
• 3.14.12
• 3.14.13
• 3.14.14
• 3.14.15
• 3.15
• 3.16
• 3.16.0
• 3.16.1
• 3.16.2
• 3.16.3
• 3.16.4
• 3.16.5
• 3.16.6
• 3.16.7
• 3.16.8
• 3.16.9
• 3.16.10
• 3.16.11
• 3.17
• 3.18
• 3.18.0
• 3.18.1
• 3.18.2
• 3.18.3
• 3.18.4
• 3.18.5
• 3.18.6
• 3.18.7
• 3.18.8
• 3.18.9
• 3.19
• 3.20.0

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Discussion