Login Sign Up

CVE-2022-28380

7.5 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows directory traversal attacks in the rc-httpd component of 9front (a Plan 9 fork) when serve-static is used. Attackers can access files outside the intended web root directory using ..%2f sequences. Systems running 9front with rc-httpd using serve-static are affected.

💻 Affected Systems

Products:
  • 9front (Plan 9 fork)
Versions: All versions through 2022-03-31
Operating Systems: 9front/Plan 9
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects configurations using rc-httpd with serve-static enabled.

📦 What is this software?

Rc Httpd by Rc Httpd Project

View all CVEs affecting Rc Httpd →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through reading sensitive system files like /etc/passwd, configuration files, or source code, potentially leading to credential theft or further exploitation.

🟠

Likely Case

Unauthorized access to sensitive files within the web server's accessible directory tree, potentially exposing configuration files, logs, or application data.

🟢

If Mitigated

Limited impact with proper file permissions and web server configuration restricting access to sensitive directories.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Directory traversal vulnerabilities are commonly exploited and require minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 241667b933ff5bacb9a3974f6877fb8aad78bed3 and later

Vendor Advisory: https://git.9front.org/plan9front/plan9front/241667b933ff5bacb9a3974f6877fb8aad78bed3/commit.html

Restart Required: Yes

Instructions:

1. Update 9front to latest version. 2. Apply commit 241667b933ff5bacb9a3974f6877fb8aad78bed3. 3. Restart rc-httpd service.

🔧 Temporary Workarounds

Disable serve-static

all

Remove or disable serve-static functionality in rc-httpd configuration

Edit rc-httpd configuration to remove serve-static directives

Input validation filter

all

Add URL filtering to block ..%2f sequences

Add URL sanitization rules to reject requests containing ..%2f

🧯 If You Can't Patch

  • Implement strict file permissions on sensitive directories
  • Deploy web application firewall (WAF) with directory traversal protection rules

🔍 How to Verify

Check if Vulnerable:

Test with curl: curl -v 'http://target/path/..%2f..%2fetc/passwd' and check if sensitive files are returned

Check Version:

Check 9front version and verify commit 241667b933ff5bacb9a3974f6877fb8aad78bed3 is applied

Verify Fix Applied:

Repeat vulnerability test after patch - should return 403/404 error instead of file contents

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests containing ..%2f patterns
  • Access to unexpected file paths in web logs
  • 403/404 errors for traversal attempts after fix

Network Indicators:

  • HTTP traffic with encoded directory traversal sequences
  • Unusual file access patterns from single IPs

SIEM Query:

web_access_logs WHERE url CONTAINS '..%2f'

📊 Metadata

CVE ID: CVE-2022-28380
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-22
Published: April 3, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28380, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)