CVE-2020-5683
📋 TL;DR
CVE-2020-5683 is a directory traversal vulnerability in GROWI wiki software that allows remote attackers to upload specially crafted files to arbitrary locations on the server. This could lead to data alteration, file overwrites, or potential remote code execution. Affected users are those running GROWI versions prior to v4.2.3 (v4.2 series), prior to v4.1.12 (v4.1 series), or any v3 series installations.
💻 Affected Systems
- GROWI
📦 What is this software?
Growi by Weseek
Growi by Weseek
Growi by Weseek
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data destruction, or lateral movement within the network.
Likely Case
Unauthorized file uploads leading to data alteration, defacement, or denial of service by overwriting critical files.
If Mitigated
Limited impact if file uploads are restricted to non-executable directories and proper file permissions are enforced.
🎯 Exploit Status
Exploitation requires authentication to the GROWI application. The directory traversal technique is well-documented and easy to implement.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v4.2.3 for v4.2 series, v4.1.12 for v4.1 series
Vendor Advisory: https://github.com/weseek/growi/security/advisories
Restart Required: Yes
Instructions:
1. Backup your GROWI data and configuration. 2. Update GROWI to v4.2.3 (if on v4.2.x) or v4.1.12 (if on v4.1.x). 3. For v3 series, upgrade to v4.1.12 or v4.2.3. 4. Restart the GROWI service/container. 5. Verify the update was successful.
🔧 Temporary Workarounds
Disable file uploads
allTemporarily disable file upload functionality in GROWI configuration to prevent exploitation.
Edit GROWI config to set file upload permissions to 'none' or disable upload features
Implement web application firewall rules
allBlock directory traversal patterns in file upload requests.
WAF rules to block requests containing '../', '..\', or similar traversal sequences
🧯 If You Can't Patch
- Restrict file upload permissions to authenticated administrators only
- Implement strict file validation and sanitization for uploaded files
🔍 How to Verify
Check if Vulnerable:
Check GROWI version via admin panel or by examining the application files/container. If version is v3.x, v4.1.x < v4.1.12, or v4.2.x < v4.2.3, the system is vulnerable.Check Version:
Check GROWI admin dashboard or run: docker inspect growi_container | grep -i version (if using Docker)Verify Fix Applied:
Confirm GROWI version is v4.2.3 or v4.1.12 or higher. Test file upload functionality with traversal attempts to ensure they are blocked.📡 Detection & Monitoring
Log Indicators:
- Failed file upload attempts with directory traversal patterns (../, ..\)
- Unusual file uploads to non-standard directories
- Multiple upload attempts from single user sessions
Network Indicators:
- HTTP POST requests to upload endpoints containing traversal sequences
- Unusual file extensions or paths in upload requests
SIEM Query:
source="growi_logs" AND (message="*../*" OR message="*..\\*") AND message="*upload*"