Vulnerability-Lookup

GHSA-RWWW-93CX-4H2H

Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2022-05-24 19:13

Details

In order to perform a directory traversal attack, all an attacker needs is a web browser and some knowledge on where to blindly find any default files and directories on the system. on the "Name" parameter the attacker can return to the root directory and open the host file. This might give the attacker the ability to view restricted files, which could provide the attacker with more information required to further compromise the system.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2021-36717"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-07T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "In order to perform a directory traversal attack, all an attacker needs is a web browser and some knowledge on where to blindly find any default files and directories on the system. on the \"Name\" parameter the attacker can return to the root directory and open the host file. This might give the attacker the ability to view restricted files, which could provide the attacker with more information required to further compromise the system.",
  "id": "GHSA-rwww-93cx-4h2h",
  "modified": "2022-05-24T19:13:15Z",
  "published": "2022-05-24T19:13:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36717"
    },
    {
      "type": "WEB",
      "url": "https://www.gov.il/en/departments/faq/cve_advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CVE-2021-36717 (GCVE-0-2021-36717)

Vulnerability from cvelistv5 – Published: 2021-09-07 11:36 – Updated: 2024-08-04 01:01

Title

Synerion TimeNet version 9.21 - Directory Traversal

Summary

Synerion TimeNet version 9.21 contains a directory traversal vulnerability where, on the "Name" parameter, the attacker can return to the root directory and open the host file. This might give the attacker the ability to view restricted files, which could provide the attacker with more information required to further compromise the system.

Severity ?

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CWE

Directory Traversal

Assigner

INCD

References

URL

Tags

https://www.gov.il/en/departments/faq/cve_advisories

third-party-advisoryx_refsource_CERT

Impacted products

	Vendor	Product	Version
	Synerion	TimeNet version	Affected: TimeNet 9.21

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T01:01:59.243Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "INCD CVE Advisories",
            "tags": [
              "third-party-advisory",
              "x_refsource_CERT",
              "x_transferred"
            ],
            "url": "https://www.gov.il/en/departments/faq/cve_advisories"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "TimeNet version",
          "vendor": "Synerion",
          "versions": [
            {
              "status": "affected",
              "version": "TimeNet 9.21"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Synerion TimeNet version 9.21 contains a directory traversal vulnerability where, on the \"Name\" parameter, the attacker can return to the root directory and open the host file. This might give the attacker the ability to view restricted files, which could provide the attacker with more information required to further compromise the system."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Directory Traversal",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-09-16T10:42:22.000Z",
        "orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
        "shortName": "INCD"
      },
      "references": [
        {
          "name": "INCD CVE Advisories",
          "tags": [
            "third-party-advisory",
            "x_refsource_CERT"
          ],
          "url": "https://www.gov.il/en/departments/faq/cve_advisories"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Update to TimeNet version 10.2.1"
        }
      ],
      "source": {
        "advisory": "ILVN-2021-0002",
        "defect": [
          "ILVN-2021-0002"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "Synerion TimeNet version 9.21 - Directory Traversal",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cna@cyber.gov.il",
          "ID": "CVE-2021-36717",
          "STATE": "PUBLIC",
          "TITLE": "Synerion TimeNet version 9.21 - Directory Traversal"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "TimeNet version",
                      "version": {
                        "version_data": [
                          {
                            "version_name": "TimeNet",
                            "version_value": "9.21"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Synerion"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Synerion TimeNet version 9.21 contains a directory traversal vulnerability where, on the \"Name\" parameter, the attacker can return to the root directory and open the host file. This might give the attacker the ability to view restricted files, which could provide the attacker with more information required to further compromise the system."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Directory Traversal"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "INCD CVE Advisories",
              "refsource": "CERT",
              "url": "https://www.gov.il/en/departments/faq/cve_advisories"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Update to TimeNet version 10.2.1"
          }
        ],
        "source": {
          "advisory": "ILVN-2021-0002",
          "defect": [
            "ILVN-2021-0002"
          ],
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
    "assignerShortName": "INCD",
    "cveId": "CVE-2021-36717",
    "datePublished": "2021-09-07T11:36:33.000Z",
    "dateReserved": "2021-07-12T00:00:00.000Z",
    "dateUpdated": "2024-08-04T01:01:59.243Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-RWWW-93CX-4H2H

CVE-2021-36717 (GCVE-0-2021-36717)

Tags

Sightings

Nomenclature