CVE-2019-1010308 – Aquarius CMS versions prior to 4.1.1 have an in... (How to Fix)

Q: What is the severity of CVE-2019-1010308?

CVE-2019-1010308 has a CVSS score of 9.8 (CRITICAL). Aquarius CMS versions prior to 4.1.1 have an incorrect access control vulnerability where log files containing sensitive information like passwords are accessible without authentication. Attackers can directly access these files to steal credentials and other sensitive data. All deployments using affected versions are vulnerable.

📋 TL;DR

Aquarius CMS versions prior to 4.1.1 have an incorrect access control vulnerability where log files containing sensitive information like passwords are accessible without authentication. Attackers can directly access these files to steal credentials and other sensitive data. All deployments using affected versions are vulnerable.

💻 Affected Systems

Products:

Aquaverde GmbH Aquarius CMS

Versions: All versions prior to 4.1.1

Operating Systems: Any OS running Aquarius CMS

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable. The vulnerability exists in the core CMS component handling log file access.

📦 What is this software?

Aquarius Cms by Aquaverde

View all CVEs affecting Aquarius Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through credential theft, privilege escalation, and data exfiltration from exposed passwords and sensitive information in logs.

🟠

Likely Case

Unauthorized access to sensitive log data leading to credential harvesting, session hijacking, and potential lateral movement within the system.

🟢

If Mitigated

Minimal impact with proper access controls and log sanitization in place, limiting exposure to non-sensitive information.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires direct file access to log files, which is trivial for attackers with network access to the system.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.1.1

Vendor Advisory: https://github.com/aquaverde/aquarius-core/commit/e1af89aa9df07ea265d879518ede9eb98aa494e0

Restart Required: Yes

Instructions:

1. Backup current installation and database. 2. Download Aquarius CMS version 4.1.1 or later from official repository. 3. Replace existing files with patched version. 4. Restart web server and application services. 5. Verify log file permissions are properly restricted.

🔧 Temporary Workarounds

Restrict log file access permissions

linux

Manually set restrictive file permissions on log directories and files to prevent unauthorized access.

chmod 600 /path/to/aquarius/logs/*
chown root:root /path/to/aquarius/logs/

Move logs outside web root

all

Relocate log files to a directory not accessible via web server.

mv /var/www/aquarius/logs /var/log/aquarius/
Update Aquarius configuration to use new log path

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach the Aquarius CMS instance.
Configure web server (Apache/Nginx) to deny access to log file directories using .htaccess or server configuration rules.

🔍 How to Verify

Check if Vulnerable:

Check if log files at /aquarius/logs/ are accessible via HTTP request or direct file access without authentication.

Check Version:

Check Aquarius CMS admin panel or read version.txt file in installation directory.

Verify Fix Applied:

Attempt to access log files via HTTP and direct file access after patching - both should return access denied errors.

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to log file paths
Failed authentication attempts followed by log file access

Network Indicators:

HTTP requests to /aquarius/logs/* paths from unauthorized IPs
Unusual outbound traffic containing log data

SIEM Query:

source="web_server" AND (url_path="/aquarius/logs/" OR url_path CONTAINS ".log") AND response_code=200

📊 Metadata

CVE ID: CVE-2019-1010308

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-522

Published: July 15, 2019

Last Updated: November 21, 2024

🔗 References

https://github.com/aquaverde/aquarius-core Third Party Advisory
https://github.com/aquaverde/aquarius-core/commit/e1af89aa9df07ea265d879518ede9eb98aa494e0 Patch,Third Party Advisory
https://github.com/aquaverde/aquarius-core Third Party Advisory
https://github.com/aquaverde/aquarius-core/commit/e1af89aa9df07ea265d879518ede9eb98aa494e0 Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-1010308, you might also want to check these: