CVE-2019-15516

Vulnerability

Cuberite before commit 2019-06-11 (version not specified) contains a directory traversal vulnerability in its webadmin interface. The server serves files from the webadmin/files/ directory but sanitizes the URL by removing one occurrence of ../. However, an attacker can bypass this by using ....// which after removal of ../ becomes ../, allowing traversal out of the intended directory. Affected versions: all Cuberite versions prior to the fix merged in pull request #4341 [1].

Exploitation

An attacker with network access to the webadmin port (typically 8080) can send a crafted HTTP request with a path like ....//....//webadmin.ini. The server's sanitization removes one ../ substring, transforming the path into ../../webadmin.ini, which then serves the file from outside the intended directory. No authentication is required as the webadmin interface is accessible without login for file serving [1].

Impact

Successful exploitation allows an attacker to read arbitrary files from the server's filesystem, including sensitive configuration files such as webadmin.ini which contains plaintext passwords. This leads to full disclosure of credentials and potential further compromise of the server [1].

Mitigation

The vulnerability was fixed in Cuberite by pull request #4341, merged on 2019-06-11. Users should update to a version after that date. The fix implements a loop to remove all ../ sequences or uses absolute path checking. No workaround is available; updating is the recommended action. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date [1].