CVE-2019-16105

Vulnerability

Silver Peak EdgeConnect SD-WAN software prior to version 8.1.7.x contains a directory traversal vulnerability in the rest/json/configdb/download/ URI [1]. The endpoint does not properly sanitize user-supplied path sequences, allowing an attacker to use ..%2f (URL-encoded ../) to traverse directories outside the intended download path [1]. Affected versions are all releases before 8.1.7.x; the vulnerability was present in the REST API used for configuration database downloads.

Exploitation

An attacker with network access to the EdgeConnect management interface can craft an HTTP GET request to rest/json/configdb/download/ with a path parameter containing ..%2f sequences [1]. No authentication is required to trigger the traversal; the attacker only needs to be able to reach the device's management IP address or administrative port [1]. The request is processed by the web server, which follows the traversal and reads the requested file from the filesystem.

Impact

Successful exploitation allows an unauthenticated attacker to read arbitrary files from the appliance's filesystem [1]. This can include sensitive configuration data, credentials, and other internal information that could lead to further compromise of the SD-WAN infrastructure. The impact is limited to information disclosure (confidentiality loss); the vulnerability does not provide write or execute capabilities.

Mitigation

Silver Peak released a fix in version 8.1.7.x [1]. Organizations should upgrade to 8.1.7.x or later to close this vulnerability. If immediate patching is not possible, restrict network access to the EdgeConnect management interface to trusted IP addresses only. No known KEV listing or public exploit code was referenced in the provided advisory.