CVE-2021-44977 – This CVE describes a directory traversal vulner... (How to Fix)

Q: How do I fix CVE-2021-44977?

1. Upgrade iCMS to version newer than 8.0.0. 2. Apply any available security patches from the vendor. 3. Verify the fix by testing directory traversal attempts.

Q: What is the severity of CVE-2021-44977?

CVE-2021-44977 has a CVSS score of 7.5 (HIGH). This CVE describes a directory traversal vulnerability in iCMS content management system that allows attackers to read arbitrary files on the server. The vulnerability affects iCMS versions up to and including 8.0.0. Attackers can exploit this to access sensitive files like configuration files, password files, or other system files.

📋 TL;DR

This CVE describes a directory traversal vulnerability in iCMS content management system that allows attackers to read arbitrary files on the server. The vulnerability affects iCMS versions up to and including 8.0.0. Attackers can exploit this to access sensitive files like configuration files, password files, or other system files.

💻 Affected Systems

Products:

iCMS Content Management System

Versions: <= 8.0.0

Operating Systems: All operating systems running iCMS

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected iCMS versions are vulnerable by default.

📦 What is this software?

Icms by Idreamsoft

View all CVEs affecting Icms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive system files including configuration files with database credentials, password files, or other critical system files, potentially leading to full system compromise.

🟠

Likely Case

Attackers will read configuration files to extract database credentials and other sensitive information, then use this to escalate privileges or access other systems.

🟢

If Mitigated

With proper file permissions and web server configuration, impact is limited to files accessible by the web server user.

🌐 Internet-Facing: HIGH - This vulnerability is exploitable via web requests and affects internet-facing content management systems.

🏢 Internal Only: MEDIUM - While still exploitable, internal systems may have additional network controls and monitoring.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is simple to exploit and public proof-of-concept details are available in the provided references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 8.0.0

Vendor Advisory: https://gem-love.com/2021/12/10/ICMS-8-0-0%E5%90%8E%E5%8F%B0%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%960day%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/

Restart Required: No

Instructions:

1. Upgrade iCMS to version newer than 8.0.0. 2. Apply any available security patches from the vendor. 3. Verify the fix by testing directory traversal attempts.

🔧 Temporary Workarounds

Web Server Input Validation

all

Configure web server (Apache/Nginx) to block directory traversal patterns in URLs

# Apache: Add to .htaccess
RewriteCond %{REQUEST_URI} \.\. [OR]
RewriteCond %{REQUEST_URI} \.\./
RewriteRule .* - [F]
# Nginx: Add to server block
location ~* \.\. { deny all; }

File Permission Restriction

linux

Restrict web server user permissions to only necessary directories

# Linux example
chmod 750 /var/www/html/icms/
chown www-data:www-data /var/www/html/icms/
chmod 600 /var/www/html/icms/config/*

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block directory traversal patterns
Restrict network access to the iCMS instance using firewall rules

🔍 How to Verify

Check if Vulnerable:

Test by attempting to access files outside the web root using directory traversal sequences like ../../../../etc/passwd in vulnerable parameters

Check Version:

Check iCMS version in admin panel or look for version information in source code comments

Verify Fix Applied:

Attempt the same directory traversal tests after patching - they should be blocked or return error messages

📡 Detection & Monitoring

Log Indicators:

Multiple requests containing ../ patterns
Requests for unusual file extensions or system files
403/404 errors for traversal attempts if blocked

Network Indicators:

HTTP requests with ../ sequences in parameters
Requests for system files like /etc/passwd, /etc/shadow, config files

SIEM Query:

web.url:*..* AND (web.url:*etc* OR web.url:*config* OR web.url:*passwd*)

📊 Metadata

CVE ID: CVE-2021-44977

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

Published: February 4, 2022

Last Updated: November 21, 2024

🔗 References

https://gem-love.com/2021/12/10/ICMS-8-0-0%E5%90%8E%E5%8F%B0%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%960day%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/ Exploit,Third Party Advisory
https://gem-love.com/2021/12/10/ICMS-8-0-0%E5%90%8E%E5%8F%B0%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%960day%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-44977, you might also want to check these: