La Sostenibilità per TIM

Il Report 2024 accoglie i principi della Corporate Sustainability Reporting Directive (CSRD) ed è incluso nella Relazione Finanziaria e di Sostenibilità. Approfondisci

Ultimi Comunicati Stampa

Redazione ufficio stampa

Leggi gli ultimi comunicati stampa e naviga nell'archivio dell'Ufficio Stampa del Gruppo TIM. Leggi i comunicati

CVE-2022-41760

CVE-2022-41760 – NOKIA NFM-T Network Element Manager

Vulnerability Description: Relative Path Traversal – CWE-23

Software Version: R19.9

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-41760

CVSv3: 6.5

Severity: Medium

Credits: Luca Di Giuseppe, Alessandro Bosco, Stefano Scipioni, Massimiliano Brolli

The web server fails to sanitize the input data allowing remote authenticated attacker to read files on the filesystem arbitrarily.

 

Step-by-step instructions and PoC

 

By manipulating the GET "filename" parameter referring to files with sequences such as "dot-dot-slash (../)" it is possible to access arbitrary files and directories stored on the filesystem, including application source code, configuration files and critical system files.

 

Affected Endpoints:

·       URL: https://[...]:8443/oms1350/data/cpb/log?filename=

 

Parameter:

·       filename

 

Below is the evidence.

Detail of the HTTP request/response showing exploitation of the vulnerability.

Security Impact

 

Exploiting this vulnerability on the web portal it was possible to read the files on the filesystem.