Vulnerability Details : CVE-2020-15097
loklak is an open-source server application which is able to collect messages from various sources, including twitter. The server contains a search index and a peer-to-peer index sharing interface. All messages are stored in an elasticsearch index. In loklak less than or equal to commit 5f48476, a path traversal vulnerability exists. Insufficient input validation in the APIs exposed by the loklak server allowed a directory traversal vulnerability. Any admin configuration and files readable by the app available on the hosted file system can be retrieved by the attacker. Furthermore, user-controlled content could be written to any admin config and files readable by the application. This has been patched in commit 50dd692. Users will need to upgrade their hosted instances of loklak to not be vulnerable to this exploit.
Vulnerability category: Directory traversal
Products affected by CVE-2020-15097
- cpe:2.3:a:loklak_project:loklak:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-15097
0.17%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 54 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-15097
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:P/A:N |
10.0
|
4.9
|
NIST | |
9.1
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
3.9
|
5.2
|
NIST | |
9.1
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
3.9
|
5.2
|
GitHub, Inc. |
CWE ids for CVE-2020-15097
-
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Assigned by: security-advisories@github.com (Primary)
References for CVE-2020-15097
-
https://github.com/loklak/loklak_server/security/advisories/GHSA-7557-4v29-rqw6
Vulnerability - Directory Traversal Attacks in Loklak Instances · Advisory · loklak/loklak_server · GitHubThird Party Advisory
-
https://github.com/loklak/loklak_server/commit/50dd69230d3cd71dab0bfa7156682ffeca8ed8b9
Merge pull request from GHSA-7557-4v29-rqw6 · loklak/loklak_server@50dd692 · GitHubPatch;Third Party Advisory
Jump to