CVE-2020-11943

Vulnerability

Open-AudIT version 3.2.2 contains an arbitrary file upload vulnerability. The issue exists in the file upload functionality where insufficient validation allows an attacker to upload files of any type, including server-side scripts. This affects the core upload mechanism used for device discovery logs and other features. Version 3.2.2 is the documented affected version; the fix is included in version 3.3.0 [1].

Exploitation

An attacker with network access to the Open-AudIT web interface and valid credentials (or possibly without authentication if the endpoint is exposed) can upload a malicious file, such as a PHP web shell, through the file upload form. The attacker would need to send a crafted HTTP POST request to the vulnerable upload endpoint with the malicious file payload. No additional privileges beyond the ability to reach the upload function are required.

Impact

Successful exploitation allows the attacker to achieve arbitrary file upload, which can lead to remote code execution (RCE) on the server. This gives the attacker full control over the affected system, including data exfiltration, lateral movement, and potential compromise of the entire IT infrastructure managed by Open-AudIT. The confidentiality, integrity, and availability of the system are all at risk.

Mitigation

Upgrade to Open-AudIT version 3.3.0 or later, which fixes this vulnerability as documented in the release notes [1]. As of the publication date (2020-04-29), this is the only known fix. Users still running version 3.2.2 should apply the upgrade immediately. No workarounds are provided in the reference. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog.