CVE-2020-10366 – LogicalDoc before version 8.3.3 contains a dire... (How to Fix)

Q: What is the severity of CVE-2020-10366?

CVE-2020-10366 has a CVSS score of 7.5 (HIGH). LogicalDoc before version 8.3.3 contains a directory traversal vulnerability in the /servlet.gupld endpoint. This allows attackers to read arbitrary files on the server by manipulating file paths. All LogicalDoc installations running affected versions are vulnerable.

📋 TL;DR

LogicalDoc before version 8.3.3 contains a directory traversal vulnerability in the /servlet.gupld endpoint. This allows attackers to read arbitrary files on the server by manipulating file paths. All LogicalDoc installations running affected versions are vulnerable.

💻 Affected Systems

Products:

LogicalDoc

Versions: All versions before 8.3.3

Operating Systems: All platforms running LogicalDoc

Default Config Vulnerable: ⚠️ Yes

Notes: This is a separate vulnerability from CVE-2020-9423 and CVE-2020-10365 mentioned in the same advisory.

📦 What is this software?

Logicaldoc by Logicaldoc

View all CVEs affecting Logicaldoc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through reading sensitive files like configuration files, password hashes, or SSH keys, potentially leading to lateral movement and data exfiltration.

🟠

Likely Case

Unauthorized access to sensitive documents stored in LogicalDoc, exposure of system configuration files, and potential credential harvesting.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, potentially only exposing non-sensitive files.

🌐 Internet-Facing: HIGH - Directory traversal vulnerabilities are easily exploitable and internet-facing instances are directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this to escalate privileges or access sensitive data.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Directory traversal vulnerabilities are typically easy to exploit with simple HTTP requests. Public advisories include technical details that facilitate exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.3.3

Vendor Advisory: https://sourceforge.net/p/logicaldoc/code/HEAD/tree/community/logicaldoc/trunk/ReleaseNotes.txt

Restart Required: Yes

Instructions:

1. Backup your LogicalDoc installation and database. 2. Download LogicalDoc 8.3.3 or later from the official source. 3. Follow the LogicalDoc upgrade documentation to apply the update. 4. Restart the LogicalDoc service.

🔧 Temporary Workarounds

Web Application Firewall Rule

all

Block directory traversal patterns in requests to /servlet.gupld

WAF-specific configuration to block requests containing '../' or similar path traversal sequences

Access Restriction

linux

Restrict access to the vulnerable endpoint using network controls

iptables -A INPUT -p tcp --dport 8080 -m string --string "/servlet.gupld" --algo bm -j DROP
Similar rules for other firewall systems

🧯 If You Can't Patch

Implement strict network segmentation to isolate LogicalDoc instances from sensitive systems
Deploy a web application firewall with rules to detect and block directory traversal attempts

🔍 How to Verify

Check if Vulnerable:

Check if accessing http://[logicaldoc-host]/servlet.gupld?file=../../../../etc/passwd returns system files (test in non-production environment only)

Check Version:

Check the LogicalDoc admin interface or version.txt file in the installation directory

Verify Fix Applied:

After patching, attempt the same directory traversal test and verify it fails or returns an error

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /servlet.gupld containing '../' sequences
Unusual file access patterns from web server logs

Network Indicators:

HTTP GET requests with path traversal sequences in parameters
Multiple failed attempts followed by successful file reads

SIEM Query:

source="web_logs" AND uri_path="/servlet.gupld" AND (uri_query="*../*" OR uri_query="*..\\*" OR uri_query="*%2e%2e%2f*")

📊 Metadata

CVE ID: CVE-2020-10366

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-22

Published: April 8, 2020

Last Updated: November 21, 2024

🔗 References

https://sourceforge.net/p/logicaldoc/code/HEAD/tree/community/logicaldoc/trunk/ReleaseNotes.txt Release Notes,Third Party Advisory
https://www.coresecurity.com/advisories/logicaldoc-virtual-appliance-multiple-vulnerabilities Exploit,Not Applicable,Third Party Advisory
https://sourceforge.net/p/logicaldoc/code/HEAD/tree/community/logicaldoc/trunk/ReleaseNotes.txt Release Notes,Third Party Advisory
https://www.coresecurity.com/advisories/logicaldoc-virtual-appliance-multiple-vulnerabilities Exploit,Not Applicable,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-10366, you might also want to check these: