qwqdanchun
/
Goby
mirror of https://github.com/qwqdanchun/Goby.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Goby/json/Gurock-Testrail-7.2-Informa...

58 lines
5.3 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
"Name": "Gurock Testrail 7.2 Information leakage (CVE-2021-40875)",
"Description": "<p>Testrail is a complete web-based test case management solution to efficiently manage, track, and organize your software testing efforts.</p><p>Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure of hardcoded credentials, API keys, or other sensitive data.</p>",
"Product": "Testrail",
"Homepage": "https://www.gurock.com/testrail/",
"DisclosureDate": "2021-09-22",
"Author": "1291904552@qq.com",
"FofaQuery": "title=\"Login - TestRail\"",
"GobyQuery": "title=\"Login - TestRail\"",
"Level": "2",
"Impact": "<p>Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure of hardcoded credentials, API keys, or other sensitive data.</p>",
"Recommandation": "<p>There is currently no detailed solution provided, please pay attention to the manufacturer's homepage update: <a href=\"https://www.gurock.com/testrail/\">https://www.gurock.com/testrail/</a></p><p>1. Set access policies and whitelist access through security devices such as firewalls.</p><p>2.If not necessary, prohibit public network access to the system.</p>",
"Translation": {
"CN": {
"Name": "Gurock Testrail 7.2 版本信息泄露漏洞",
"VulType": ["info-disclosure"],
"Description": "<p>Testrail一个完整的基于 Web 的测试用例管理解决方案,可有效管理、跟踪和组织您的软件测试工作。</p><p>Gurock TestRail 版本 < 7.2.0.3014 中不正确的访问控制导致敏感信息暴露。威胁行为者可以访问 Gurock TestRail 应用程序客户端的 /files.md5 文件公开应用程序文件的完整列表和相应的文件路径。可以测试相应的文件路径并且在某些情况下会导致硬编码凭据、API 密钥或其他敏感数据的泄露。</p>",
"Impact": "<p>Gurock TestRail 版本 < 7.2.0.3014 中不正确的访问控制导致敏感信息暴露。威胁行为者可以访问 Gurock TestRail 应用程序客户端的 /files.md5 文件公开应用程序文件的完整列表和相应的文件路径。可以测试相应的文件路径并且在某些情况下会导致硬编码凭据、API 密钥或其他敏感数据的泄露。</p>",
"Product": "Testrail",
"Recommendation": "<p>厂商暂未提供修复方案,请关注厂商网站及时更新: <a href=\"https://www.gurock.com/testrail/\">https://www.gurock.com/testrail/</a></p><p>1、通过防⽕墙等安全设备设置访问策略设置⽩名单访问。</p><p>2、如⾮必要禁⽌公⽹访问该系统。</p>"
},
"EN": {
"Name": "Gurock Testrail 7.2 Information leakage CVE-2021-40875",
"VulType": ["info-disclosure"],
"Description": "<p>Testrail is a complete web-based test case management solution to efficiently manage, track, and organize your software testing efforts.</p><p>Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure of hardcoded credentials, API keys, or other sensitive data.</p>",
"Impact": "<p>Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure of hardcoded credentials, API keys, or other sensitive data.</p>",
"Product": "Testrail",
"Recommendation": "<p>There is currently no detailed solution provided, please pay attention to the manufacturer's homepage update: <a href=\"https://www.gurock.com/testrail/\">https://www.gurock.com/testrail/</a></p><p>1. Set access policies and whitelist access through security devices such as firewalls.</p><p>2.If not necessary, prohibit public network access to the system.</p>"
}
},
"References": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-40875"
],
"HasExp": true,
"ExpParams": [
{
"name": "filepath",
"type": "createSelect",
"value": "files.md5,db/mysql/full.sql"
}
],
"ExpTips": null,
"ScanSteps": null,
"ExploitSteps": null,
"Tags": [
"info-disclosure"
],
"VulType": ["info-disclosure"],
"CVEIDs": ["CVE-2021-40875"],
"CVSSScore": "6.0",
"AttackSurfaces": {
"Application": ["Testrail"],
"Support": null,
"Service": null,
"System": null,
"Hardware": null
}
}
Reference in New Issue View Git Blame Copy Permalink