CVE-2019-10849

Vulnerability

Computrols CBAS version 18.0.0 contains an unprotected Subversion (SVN) directory, which exposes source code to unauthenticated remote attackers [1][2]. The web application fails to restrict access to the .svn directory, a common Subversion metadata repository that typically contains source code files and version history. This vulnerability allows anyone who can reach the CBAS web interface to browse and download the application's source code [3].

Exploitation

An attacker with network access to the CBAS web server can simply navigate to the exposed SVN directory (e.g., http://target/.svn/) using a web browser or automated tools [3]. No authentication or prior knowledge of credentials is required. The attacker can then recursively download the contents of the .svn directory, including all source code files and version history [2].

Impact

Successful exploitation leads to complete disclosure of the CBAS application source code, including any hardcoded credentials, database connection strings, proprietary business logic, and configuration details [1][2]. This information can be used by an attacker to discover additional vulnerabilities, perform targeted attacks against the system, or compromise sensitive data processed by CBAS [3]. The disclosure poses a significant risk to the confidentiality of the building automation system's intellectual property and operational parameters.

Mitigation

As of the available references, no vendor patch was released to address this issue [1][2]. The affected version 18.0.0 is exposed, and administrators should immediately restrict access to the .svn directory via web server configuration (e.g., blocking HTTP requests to paths containing .svn) [3]. Upgrading to a later, secure version of CBAS may also resolve the vulnerability, though no fixed release date is specified in the references [1][2].