CVE-2021-47755
📋 TL;DR
CVE-2021-47755 is a path traversal vulnerability in Oliver Library Server v5 that allows unauthenticated attackers to download arbitrary files from the server filesystem by manipulating the 'fileName' parameter in the FileServlet endpoint. This affects all organizations running vulnerable versions of Oliver Library Server v5, potentially exposing sensitive configuration files, credentials, and system data.
💻 Affected Systems
- Oliver Library Server
📦 What is this software?
Oliver V5 Library by Softlinkint
⚠️ Risk & Real-World Impact
Worst Case
Attackers could download critical system files like /etc/passwd, /etc/shadow, configuration files containing database credentials, SSH keys, or sensitive application data, leading to complete system compromise.
Likely Case
Attackers will download configuration files to find database credentials, API keys, and other sensitive information that can be used for further attacks or data exfiltration.
If Mitigated
With proper network segmentation and access controls, the impact is limited to files accessible by the web server process, though sensitive application data may still be exposed.
🎯 Exploit Status
Exploit code is publicly available on Exploit-DB (ID: 50599). The attack requires no authentication and uses simple path traversal techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in CVE details, but vendor likely released patch for v5
Vendor Advisory: https://www.softlinkint.com/product/oliver/
Restart Required: Yes
Instructions:
1. Check vendor advisory for specific patch version. 2. Backup current installation. 3. Apply vendor-provided patch or upgrade to fixed version. 4. Restart Oliver Library Server service. 5. Verify fix by testing the FileServlet endpoint.
🔧 Temporary Workarounds
Input Validation Filter
allImplement input validation to block path traversal sequences in the fileName parameter
Modify FileServlet.java to validate fileName parameter against allowed patterns
Add input sanitization: if (fileName.contains("..") || fileName.contains("/") || fileName.contains("\\")) { return error; }
Web Application Firewall Rule
allBlock requests containing path traversal patterns in the fileName parameter
WAF rule: deny requests where fileName parameter contains "..", "/", or "\\"
🧯 If You Can't Patch
- Implement network segmentation to restrict access to Oliver Library Server from untrusted networks
- Deploy a reverse proxy with input validation to sanitize all requests before they reach the vulnerable endpoint
🔍 How to Verify
Check if Vulnerable:
Test by sending a request to the FileServlet endpoint with a path traversal payload: GET /FileServlet?fileName=../../../../etc/passwdCheck Version:
Check Oliver Library Server administration interface or configuration files for version informationVerify Fix Applied:
Attempt the same path traversal attack after patching - it should return an error or empty response instead of file contents📡 Detection & Monitoring
Log Indicators:
- HTTP requests to FileServlet with fileName parameter containing "..", "/", or "\\"
- Multiple failed file access attempts from single IP
- Access to unusual file paths through FileServlet
Network Indicators:
- Unusual file download patterns from the FileServlet endpoint
- Requests for known sensitive files like /etc/passwd, web.config, etc.
SIEM Query:
source="oliver-logs" AND uri_path="/FileServlet" AND (query_string="*..*" OR query_string="*/*" OR query_string="*\\*")