CVE-2021-45746
📋 TL;DR
This CVE describes a directory traversal vulnerability in WeBankPartners wecube-platform version 3.2.1 that allows attackers to read arbitrary files on the server via the file parameter in PluginPackageController.java. Organizations running wecube-platform 3.2.1 are affected. The vulnerability enables unauthorized file access through path traversal sequences.
💻 Affected Systems
- WeBankPartners wecube-platform
📦 What is this software?
Wecube by Webank
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive system files, configuration files, or application source code, potentially leading to credential theft, privilege escalation, or further system compromise.
Likely Case
Unauthorized access to application configuration files, potentially exposing database credentials, API keys, or other sensitive configuration data.
If Mitigated
If proper input validation and access controls are implemented, the vulnerability would be blocked at the application layer with no impact.
🎯 Exploit Status
Directory traversal vulnerabilities typically require minimal technical skill to exploit once the vulnerable endpoint is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.2 or later
Vendor Advisory: https://github.com/WeBankPartners/wecube-platform/issues/2297
Restart Required: Yes
Instructions:
1. Upgrade wecube-platform to version 3.2.2 or later. 2. Restart the wecube-platform service. 3. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Input Validation Filter
allImplement input validation to block directory traversal sequences in the file parameter
Implement code to filter '../', '..\', and similar traversal sequences in PluginPackageController.java
Web Application Firewall Rule
allBlock requests containing directory traversal patterns
Add WAF rule to block requests with '../', '..\', or similar patterns in URL parameters
🧯 If You Can't Patch
- Restrict network access to wecube-platform to trusted IP addresses only
- Implement strict file system permissions to limit what files the application user can access
🔍 How to Verify
Check if Vulnerable:
Check if running wecube-platform version 3.2.1. Test the vulnerable endpoint with directory traversal payloads like '../../etc/passwd' in the file parameter.Check Version:
Check application version in wecube-platform interface or configuration filesVerify Fix Applied:
After patching, test the previously vulnerable endpoint with directory traversal payloads to confirm they are blocked. Verify version is 3.2.2 or later.📡 Detection & Monitoring
Log Indicators:
- HTTP requests with '../', '..\', or similar patterns in URL parameters
- Unusual file access patterns from web application user
Network Indicators:
- HTTP requests to PluginPackageController endpoints with suspicious file parameters
SIEM Query:
web.url:*../* AND (web.url:*PluginPackageController* OR web.url:*file=*)