CVE-2023-39141 – CVE-2023-39141 is a path traversal vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2023-39141?

CVE-2023-39141 has a CVSS score of 7.5 (HIGH). CVE-2023-39141 is a path traversal vulnerability in webui-aria2 that allows attackers to read arbitrary files on the server. This affects systems running vulnerable versions of the webui-aria2 web interface for aria2 download manager. Attackers can exploit this without authentication to access sensitive files.

📋 TL;DR

CVE-2023-39141 is a path traversal vulnerability in webui-aria2 that allows attackers to read arbitrary files on the server. This affects systems running vulnerable versions of the webui-aria2 web interface for aria2 download manager. Attackers can exploit this without authentication to access sensitive files.

💻 Affected Systems

Products:

webui-aria2

Versions: Versions before commit 4fe2e (specifically commit 109903f0e2774cf948698cd95a01f77f33d7dd2c and earlier)

Operating Systems: All operating systems running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the node-server.js file at line 10 where user input is not properly sanitized before file operations.

📦 What is this software?

Webui Aria2 by Ziahamza

View all CVEs affecting Webui Aria2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through reading sensitive configuration files, SSH keys, or other credentials leading to lateral movement.

🟠

Likely Case

Unauthorized access to sensitive files containing configuration data, credentials, or application source code.

🟢

If Mitigated

Limited impact if proper file permissions and network segmentation are in place, restricting access to critical system files.

🌐 Internet-Facing: HIGH - The vulnerability is unauthenticated and can be exploited remotely if the web interface is exposed to the internet.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this to escalate privileges or access sensitive data.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept is publicly available in the GitHub gist references. Exploitation requires only HTTP requests with crafted paths.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 4fe2e or later

Vendor Advisory: https://github.com/ziahamza/webui-aria2/commit/4fe2e

Restart Required: Yes

Instructions:

1. Update to commit 4fe2e or later from the GitHub repository. 2. Replace the vulnerable node-server.js file. 3. Restart the webui-aria2 service.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict access to webui-aria2 interface to trusted networks only

iptables -A INPUT -p tcp --dport [webui-port] -s [trusted-network] -j ACCEPT
iptables -A INPUT -p tcp --dport [webui-port] -j DROP

File Permission Hardening

linux

Set strict file permissions to limit what files can be accessed even if exploited

chmod 600 /etc/passwd /etc/shadow
chmod 700 ~/.ssh
chmod 600 ~/.ssh/*

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block path traversal patterns like '../' in URLs
Run webui-aria2 in a container or chroot jail with minimal file system access

🔍 How to Verify

Check if Vulnerable:

Check if your node-server.js file contains the vulnerable code at line 10 from commit 109903f0e2774cf948698cd95a01f77f33d7dd2c

Check Version:

git log --oneline -1 node-server.js

Verify Fix Applied:

Verify that node-server.js has been updated to commit 4fe2e or later and no longer contains the unsanitized path concatenation

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing '../' patterns in URLs
Access to unusual file paths via web interface
Failed file access attempts to system directories

Network Indicators:

HTTP GET requests with encoded path traversal sequences (%2e%2e%2f)
Multiple sequential requests attempting different file paths

SIEM Query:

source="webui-aria2" AND (url="*../*" OR url="*..%2f*" OR url="*%2e%2e%2f*")

📊 Metadata

CVE ID: CVE-2023-39141

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

Published: August 22, 2023

Last Updated: November 21, 2024

🔗 References

https://gist.github.com/JafarAkhondali/528fe6c548b78f454911fb866b23f66e Exploit,Third Party Advisory
https://github.com/ziahamza/webui-aria2/blob/109903f0e2774cf948698cd95a01f77f33d7dd2c/node-server.js#L10 Product
https://gist.github.com/JafarAkhondali/528fe6c548b78f454911fb866b23f66e Exploit,Third Party Advisory
https://github.com/ziahamza/webui-aria2/blob/109903f0e2774cf948698cd95a01f77f33d7dd2c/node-server.js#L10 Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-39141, you might also want to check these: