CVE-2024-57669
📋 TL;DR
A directory traversal vulnerability in Zrlog backup-sql-file.jar v3.0.31 allows remote attackers to read arbitrary files on the server by manipulating file paths in backup requests. This affects all systems running the vulnerable Zrlog plugin version. Attackers can potentially access sensitive configuration files, credentials, or other protected data.
💻 Affected Systems
- Zrlog backup-sql-file plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through reading sensitive files like configuration files containing database credentials, SSH keys, or other authentication secrets, leading to data breach or further system exploitation.
Likely Case
Unauthorized access to sensitive files such as configuration files, logs, or backup files containing application data or credentials.
If Mitigated
Limited impact with proper file permissions and network segmentation preventing access to critical system files.
🎯 Exploit Status
Exploitation requires understanding of the backup functionality and ability to craft malicious requests. No public exploit code has been released.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit 32bdb36e6cc4f0b72e1ba85ef4458fb980946ea4
Vendor Advisory: https://github.com/94fzb/zrlog/issues/193
Restart Required: No
Instructions:
1. Update to the latest version of the backup-sql-file plugin. 2. Replace the vulnerable backup-sql-file.jar file with the patched version. 3. Verify the fix by checking the BackupController.java file for proper path validation.
🔧 Temporary Workarounds
Disable backup functionality
allTemporarily disable the backup plugin or restrict access to backup endpoints
Remove or rename backup-sql-file.jar from plugin directory
Network access restrictions
linuxRestrict network access to the Zrlog application using firewall rules
iptables -A INPUT -p tcp --dport [Zrlog-port] -s [trusted-ips] -j ACCEPT
iptables -A INPUT -p tcp --dport [Zrlog-port] -j DROP
🧯 If You Can't Patch
- Implement strict file system permissions to limit what files the Zrlog process can read
- Deploy a web application firewall (WAF) with directory traversal protection rules
🔍 How to Verify
Check if Vulnerable:
Check if backup-sql-file.jar version 3.0.31 is present in the Zrlog plugins directoryCheck Version:
java -jar backup-sql-file.jar --version or check plugin metadataVerify Fix Applied:
Verify the BackupController.java file contains proper path validation and no longer allows directory traversal sequences like '../'📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in application logs
- Requests to backup endpoints with path traversal sequences (../, ..\)
- Failed file access attempts outside expected directories
Network Indicators:
- HTTP requests containing '../' patterns to backup endpoints
- Unusual file download patterns from the Zrlog server
SIEM Query:
source="zrlog.log" AND ("../" OR "..\\" OR "%2e%2e%2f") AND ("backup" OR "download")