CVE-2020-27514 – CVE-2020-27514 is a directory traversal vulnera... (How to Fix)

Q: What is the severity of CVE-2020-27514?

CVE-2020-27514 has a CVSS score of 9.1 (CRITICAL). CVE-2020-27514 is a directory traversal vulnerability in ZrLog's admin API that allows remote attackers to delete arbitrary files on the server. This can lead to denial of service by deleting critical system files. All ZrLog installations running version 2.1.15 are affected.

📋 TL;DR

CVE-2020-27514 is a directory traversal vulnerability in ZrLog's admin API that allows remote attackers to delete arbitrary files on the server. This can lead to denial of service by deleting critical system files. All ZrLog installations running version 2.1.15 are affected.

💻 Affected Systems

Products:

ZrLog

Versions: 2.1.15

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin API access, but authentication bypass may be possible depending on configuration.

📦 What is this software?

Zrlog by Zrlog

View all CVEs affecting Zrlog →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through deletion of critical OS files, leading to permanent data loss and system unavailability.

🟠

Likely Case

Deletion of web application files causing service disruption, loss of website content, and potential data corruption.

🟢

If Mitigated

Limited impact if proper file permissions and web server sandboxing are implemented, though service disruption is still possible.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires sending crafted HTTP requests to the vulnerable endpoint with directory traversal sequences.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.16 or later

Vendor Advisory: https://github.com/94fzb/zrlog/issues/66

Restart Required: Yes

Instructions:

1. Backup your ZrLog installation and database. 2. Download and install ZrLog version 2.1.16 or later from the official repository. 3. Restart the web server or application service. 4. Verify the fix by checking the version and testing the vulnerable endpoint.

🔧 Temporary Workarounds

Restrict Admin API Access

all

Block access to the vulnerable admin API endpoint using web server configuration or firewall rules.

# For Apache: RewriteRule ^/admin/api/TemplateController - [F]
# For Nginx: location ~ /admin/api/TemplateController { deny all; }

File Permission Hardening

linux

Set restrictive file permissions on critical system directories outside the web root.

chmod 700 /etc /usr /var
chmod 755 /path/to/zrlog

🧯 If You Can't Patch

Implement strict network segmentation to isolate ZrLog instances from critical systems.
Deploy web application firewall (WAF) with directory traversal protection rules.

🔍 How to Verify

Check if Vulnerable:

Check if ZrLog version is 2.1.15 by examining the application files or admin panel.

Check Version:

grep -r 'version' /path/to/zrlog/install/*.properties

Verify Fix Applied:

Verify installation of version 2.1.16 or later and test that directory traversal attempts to delete files are blocked.

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing '../' sequences to admin API endpoints
File deletion operations on unexpected paths in system logs

Network Indicators:

HTTP POST/PUT requests to /admin/api/TemplateController with path traversal payloads

SIEM Query:

source="web_logs" AND uri="/admin/api/TemplateController" AND (payload="../" OR payload="..\\")

📊 Metadata

CVE ID: CVE-2020-27514

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-22

Published: August 11, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/94fzb/zrlog/issues/66 Exploit,Issue Tracking
https://github.com/94fzb/zrlog/issues/66 Exploit,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-27514, you might also want to check these: