CVE-2021-21886

Vulnerability

A directory traversal vulnerability exists in the FSBrowsePage functionality of the Lantronix PremierWave 2050 Web Manager, version 8.9.0.0R4. The application attempts to restrict file browsing to the /ltrx_user/ directory by prepending this path to user-supplied file parameters. However, the dir HTTP parameter is not sanitized for path traversal sequences, allowing an authenticated user to escape the intended directory [1].

Exploitation

An attacker must have valid credentials to authenticate to the Web Manager. By sending a crafted HTTP request with a dir parameter starting with /../, the attacker can traverse outside /ltrx_user/ and navigate the filesystem from the root directory. The request does not require any special privileges beyond authentication [1].

Impact

Successful exploitation allows the attacker to list the contents of arbitrary directories on the device, disclosing file and directory names. However, the vulnerability does not permit reading the contents of files outside /ltrx_user/; attempting to view such files results in a 400 Bad Request error. The impact is limited to information disclosure of directory listings [1].

Mitigation

No fix has been disclosed as of the publication date. Users should restrict network access to the Web Manager to trusted hosts and monitor for firmware updates from Lantronix. The tested version is 8.9.0.0R4; earlier versions may also be affected [1].