CVE-2021-3199 – CVE-2021-3199 is a critical directory traversal... (How to Fix)

Q: What is the severity of CVE-2021-3199?

CVE-2021-3199 has a CVSS score of 9.8 (CRITICAL). CVE-2021-3199 is a critical directory traversal vulnerability in ONLYOFFICE Document Server that allows authenticated attackers to upload malicious files to arbitrary locations via the /upload endpoint. When JWT authentication is enabled, attackers can use path traversal sequences (/..) in image upload parameters to achieve remote code execution. This affects organizations using ONLYOFFICE Document Server for document collaboration.

📋 TL;DR

CVE-2021-3199 is a critical directory traversal vulnerability in ONLYOFFICE Document Server that allows authenticated attackers to upload malicious files to arbitrary locations via the /upload endpoint. When JWT authentication is enabled, attackers can use path traversal sequences (/..) in image upload parameters to achieve remote code execution. This affects organizations using ONLYOFFICE Document Server for document collaboration.

💻 Affected Systems

Products:

ONLYOFFICE Document Server

Versions: All versions before 5.6.3

Operating Systems: All supported platforms (Linux, Windows, Docker)

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when JWT (JSON Web Token) authentication is enabled. Default installations without JWT are not affected.

📦 What is this software?

Document Server by Onlyoffice

View all CVEs affecting Document Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise allowing attackers to execute arbitrary code, access sensitive data, and pivot to other systems in the network.

🟠

Likely Case

Unauthorized file upload leading to web shell deployment, data exfiltration, and potential lateral movement within the network.

🟢

If Mitigated

Limited impact with proper network segmentation, file integrity monitoring, and restricted file upload permissions.

🌐 Internet-Facing: HIGH - Exploitable remotely when JWT authentication is enabled, making internet-facing instances prime targets.

🏢 Internal Only: MEDIUM - Still exploitable by authenticated internal users or compromised accounts, but requires initial access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires valid JWT authentication but uses simple path traversal techniques. Multiple public PoC scripts demonstrate reliable exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.6.3 and later

Vendor Advisory: https://github.com/ONLYOFFICE/DocumentServer/blob/903fe5ab7a275bd69c3c3346af2d21cf87ebeabf/CHANGELOG.md#563

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Stop ONLYOFFICE Document Server service. 3. Update to version 5.6.3 or later using official package manager or Docker. 4. Restart the service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Disable JWT Authentication

linux

Temporarily disable JWT authentication if not required, as the vulnerability only exists when JWT is enabled.

Edit config file: /etc/onlyoffice/documentserver/local.json
Set "token": {"enable": {"request": {"inbox": false, "outbox": false}}} to false

Restrict Upload Directory Permissions

linux

Set strict file permissions on upload directories to prevent execution of uploaded files.

chmod 755 /var/www/onlyoffice/documentserver/
chown -R onlyoffice:onlyoffice /var/www/onlyoffice/documentserver/

🧯 If You Can't Patch

Implement strict WAF rules to block path traversal sequences (/..) in upload requests
Deploy network segmentation to isolate ONLYOFFICE servers from critical systems

🔍 How to Verify

Check if Vulnerable:

Check if version is below 5.6.3 AND JWT authentication is enabled in configuration.

Check Version:

dpkg -l | grep onlyoffice-documentserver  # Debian/Ubuntu
rpm -qa | grep onlyoffice-documentserver  # RHEL/CentOS
docker inspect onlyoffice-documentserver | grep Version  # Docker

Verify Fix Applied:

Confirm version is 5.6.3 or higher and test upload functionality with path traversal attempts.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /upload containing /.. sequences
Unusual file uploads to non-standard directories
Failed authentication attempts followed by successful uploads

Network Indicators:

POST requests with path traversal payloads in file parameters
Unusual outbound connections from ONLYOFFICE server

SIEM Query:

source="onlyoffice.log" AND "POST /upload" AND ("/.." OR "%2f..")

📊 Metadata

CVE ID: CVE-2021-3199

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: January 26, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/ONLYOFFICE/DocumentServer/blob/903fe5ab7a275bd69c3c3346af2d21cf87ebeabf/CHANGELOG.md#563 Release Notes,Third Party Advisory
https://github.com/moehw/poc_exploits/tree/master/CVE-2021-3199/poc_uploadImageFile.py Exploit,Third Party Advisory
https://github.com/nola-milkin/poc_exploits/blob/master/CVE-2021-3199/poc_uploadImageFile.py Exploit,Third Party Advisory
https://github.com/ONLYOFFICE/DocumentServer/blob/903fe5ab7a275bd69c3c3346af2d21cf87ebeabf/CHANGELOG.md#563 Release Notes,Third Party Advisory
https://github.com/moehw/poc_exploits/tree/master/CVE-2021-3199/poc_uploadImageFile.py Exploit,Third Party Advisory
https://github.com/nola-milkin/poc_exploits/blob/master/CVE-2021-3199/poc_uploadImageFile.py Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3199, you might also want to check these: