#VU23320 Path traversal
Vulnerability identifier: #VU23320
Vulnerability risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-22
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
iobroker.admin
Web applications /
Modules and components for CMS
Vendor: ldittmar
Description
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote unauthenticated attacker (authenticated is disabled by default) can send a specially crafted HTTP request and write files outside the intended /log/route.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
iobroker.admin: 0.2.3 - 3.6.10
CPE
- cpe:2.3:a:ldittmar:iobroker.admin:3.6.10:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.6.9:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.6.8:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.6.7:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.6.5:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.6.4:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.6.3:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.6.2:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.6.0:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.5.10:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.5.9:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.5.8:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.5.7:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.5.6:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.5.5:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.5.4:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.5.3:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.5.2:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.5.1:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.5.0:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.4.9:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.4.8:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.4.7:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.4.6:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.4.5:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.4.4:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.4.3:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.4.2:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.4.1:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.4.0:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.3.9:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.3.8:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.3.7:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.3.6:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.3.5:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.3.3:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.3.2:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.3.1:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.3.0:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.2.4:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.2.3:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.2.2:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.2.1:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.2.0:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.1.12:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.1.11:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.1.10:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.1.9:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.1.8:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.1.7:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.1.6:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.1.5:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.1.4:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.1.3:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.1.2:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:3.1.1:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:2.0.9:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:2.0.7:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:2.0.6:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:2.0.4:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:2.0.2:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:2.0.1:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:2.0.0:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:1.8.1:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:1.7.6:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:1.7.5:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:1.7.4:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:1.7.3:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:1.7.0:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:1.6.11:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:1.6.10:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:1.6.8:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:1.6.7:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:1.6.6:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:1.6.5:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:1.6.4:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:1.6.3:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:1.6.2:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:1.6.1:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:1.5.3:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:1.5.2:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:1.5.1:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:1.4.0:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:1.2.6:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:1.2.5:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:1.2.4:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:1.2.3:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:1.2.2:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:1.2.1:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:1.2.0:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:1.1.1:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:1.0.3:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:1.0.2:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:1.0.1:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:1.0.0:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.8.7:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.8.6:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.8.5:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.8.4:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.8.3:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.8.2:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.8.0:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.7.5:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.7.4:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.7.3:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.7.2:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.7.1:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.6.6:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.6.5:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.6.4:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.6.3:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.6.2:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.6.1:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.6.0:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.5.13:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.5.12:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.5.11:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.5.10:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.5.9:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.5.8:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.5.7:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.5.6:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.5.5:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.5.4:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.5.3:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.5.2:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.5.1:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.4.8:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.4.7:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.4.6:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.4.5:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.4.4:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.4.3:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.4.2:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.4.1:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.4.0:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.3.27:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.3.26:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.3.25:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.3.24:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.3.23:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.3.22:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.3.21:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.3.20:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.3.19:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.3.18:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.3.17:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.3.16:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.3.15:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.3.14:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.3.13:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.3.12:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.3.11:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.3.10:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.3.9:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.3.8:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.3.7:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.3.6:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.3.5:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.3.4:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.3.3:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.3.2:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.3.1:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.2.5:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.2.4:*:*:*:*:npm:*:*
- cpe:2.3:a:ldittmar:iobroker.admin:0.2.3:*:*:*:*:npm:*:*
External links
http://github.com/ioBroker/ioBroker.admin/commit/16b2b325ab47896090bc7f54b77b0a97ed74f5cd
http://snyk.io/vuln/SNYK-JS-IOBROKERADMIN-534634
http://www.npmjs.com/advisories/1346
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
