CVE-2020-19137
📋 TL;DR
CVE-2020-19137 is an information disclosure vulnerability in Autumn CMS that allows unauthenticated attackers to retrieve all user credentials in clear text via a specific API endpoint. This affects Autumn CMS v1.0.4 and earlier installations. Attackers can obtain login credentials without any authentication.
💻 Affected Systems
- Autumn CMS
📦 What is this software?
Autumn by Autumn Project
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all user accounts, including administrative accounts, leading to full system takeover, data theft, and lateral movement within the network.
Likely Case
Attackers harvest user credentials to gain unauthorized access to the CMS, potentially modifying content, stealing sensitive data, or using compromised accounts for further attacks.
If Mitigated
With proper network segmentation and access controls, impact is limited to the CMS instance itself, though credential exposure still poses significant risk.
🎯 Exploit Status
Exploitation requires only a single HTTP GET request to the vulnerable endpoint. No authentication or special conditions needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v1.0.5 or later
Vendor Advisory: https://github.com/ShuaiJunlan/Autumn/issues/82
Restart Required: Yes
Instructions:
1. Backup your current installation. 2. Download Autumn CMS v1.0.5 or later from the official repository. 3. Replace the vulnerable files with the patched version. 4. Restart the web server/service. 5. Force password resets for all users.
🔧 Temporary Workarounds
Block Vulnerable Endpoint
allAdd web server rules to block access to the vulnerable API endpoint
# For Apache: RewriteRule ^autumn-cms/user/getAllUser - [F,L]
# For Nginx: location ~* /autumn-cms/user/getAllUser { return 403; }
Implement Authentication Middleware
allAdd authentication requirement to all user-related API endpoints
# Modify the user controller to require authentication before processing getAllUser requests
🧯 If You Can't Patch
- Isolate the Autumn CMS instance behind a reverse proxy with strict authentication requirements
- Implement network-level access controls to restrict who can access the CMS endpoints
🔍 How to Verify
Check if Vulnerable:
Send HTTP GET request to /autumn-cms/user/getAllUser/?page=1&limit=10 and check if it returns user data without authenticationCheck Version:
Check package.json or version file in Autumn CMS installation directoryVerify Fix Applied:
After patching, the same request should return authentication error or no user data📡 Detection & Monitoring
Log Indicators:
- HTTP GET requests to /autumn-cms/user/getAllUser/ with parameters
- Unusual access patterns to user API endpoints
- Multiple failed login attempts from new IPs after credential exposure
Network Indicators:
- Unusual outbound traffic patterns after credential harvesting
- Requests to the vulnerable endpoint from unauthorized IPs
SIEM Query:
source="web_server" AND uri="/autumn-cms/user/getAllUser/" AND method="GET"