CVE-2021-23427
📋 TL;DR
This vulnerability in elFinder.NetCore allows attackers to extract arbitrary files from the server due to insufficient path validation in the ExtractAsync function. All versions of the package are affected, potentially exposing sensitive server files to unauthorized users.
💻 Affected Systems
- elFinder.NetCore
📦 What is this software?
Elfinder.netcore by Elfinder.netcore Project
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through extraction of sensitive configuration files, credentials, or source code leading to further attacks.
Likely Case
Unauthorized access to sensitive files containing application data, configuration secrets, or user information.
If Mitigated
Limited file access restricted by proper input validation and file system permissions.
🎯 Exploit Status
Exploitation requires access to the file extraction functionality but is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check package repository for latest version
Vendor Advisory: https://github.com/gordon-matt/elFinder.NetCore/security/advisories
Restart Required: Yes
Instructions:
Update elFinder.NetCore package to latest version via NuGet
Rebuild and redeploy application
Test file extraction functionality
🔧 Temporary Workarounds
Disable file extraction
allTemporarily disable the ExtractAsync functionality in the FileSystemDriver
Modify FileSystemDriver.cs to remove or comment out ExtractAsync method
Implement input validation
allAdd path traversal validation before file extraction
Add validation: if (path.Contains("..") || Path.IsPathRooted(path)) throw new SecurityException();
🧯 If You Can't Patch
- Implement strict file system permissions to limit accessible directories
- Deploy web application firewall with path traversal rules
🔍 How to Verify
Check if Vulnerable:
Check if elFinder.NetCore package is installed and version is not latestCheck Version:
Check project's packages.config or .csproj file for elFinder.NetCore versionVerify Fix Applied:
Test file extraction with malicious paths to ensure validation is working📡 Detection & Monitoring
Log Indicators:
- Multiple failed file extraction attempts
- Unusual file access patterns from single user
Network Indicators:
- HTTP requests with ../ patterns in file extraction parameters
SIEM Query:
source="web_server" AND (uri="*extract*" AND (param="*../*" OR param="*..\\*"))🔗 References
- https://github.com/gordon-matt/elFinder.NetCore/blob/633da9a4d7d5c9baefd1730ee51bf7af54889600/elFinder.NetCore/Drivers/FileSystem/FileSystemDriver.cs%23L226
- https://snyk.io/vuln/SNYK-DOTNET-ELFINDERNETCORE-1567778
- https://github.com/gordon-matt/elFinder.NetCore/blob/633da9a4d7d5c9baefd1730ee51bf7af54889600/elFinder.NetCore/Drivers/FileSystem/FileSystemDriver.cs%23L226
- https://snyk.io/vuln/SNYK-DOTNET-ELFINDERNETCORE-1567778
