CVE-2021-43493
Description
ServerManagement master branch as of commit 49491cc6f94980e6be7791d17be947c27071eb56 is affected by a directory traversal vulnerability. This vulnerability can be used to extract credentials which can in turn be used to execute code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Directory traversal in ServerManagement (commit 49491cc6) via /DownFile endpoint allows authenticated attackers to read arbitrary files and extract credentials.
Vulnerability
ServerManagement master branch as of commit 49491cc6f94980e6be7791d17be947c27071eb56 is vulnerable to a directory traversal attack in the /DownFile endpoint. The endpoint uses send_from_directory from Flask with a user-controlled filename parameter, which is base64-decoded and then passed to os.path.split without adequate sanitization. Although the code checks if the path is a directory, it does not prevent ../ sequences, allowing access to files outside the intended directory [1].
Exploitation
An attacker must be authenticated (the endpoint is protected by @cklogin()) and have network access to the server. The attacker sends a GET or POST request to /DownFile with a filename parameter that contains directory traversal sequences (e.g., ../) encoded in base64. The server processes the request and returns the requested file as an attachment. This can be repeated to enumerate and extract sensitive files such as credentials [1].
Impact
Successful exploitation allows an attacker to read arbitrary files from the filesystem, including configuration files and credentials. The extracted credentials can then be used to gain further access or execute code on the server, leading to a full compromise of the affected system [1].
Mitigation
As of the available references, no official fix or patched version has been released. Users should apply input validation to the filename parameter, such as rejecting paths containing ../ or ensuring the resolved path stays within an allowed directory. Updating to a commit beyond 49491cc6 may also contain remediation, but this is not confirmed [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- ServerManagement/ServerManagementdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation on the user-supplied `filename` parameter allows directory traversal via `send_from_directory()` in Flask."
Attack vector
An unauthenticated attacker sends a GET request to `/DownFile` with a base64-encoded `filename` parameter containing `../` sequences (e.g., `L2V0Yy9wYXNzd2Q=` which decodes to `/etc/passwd`). The server decodes the value and passes it to `send_from_directory()`, which serves arbitrary files from the filesystem. The advisory's PoC shows this can be used to extract credentials, which can then be leveraged for code execution [ref_id=1].
Affected code
The vulnerable endpoint is `/DownFile` in the Flask application. The `DownFile()` function takes a user-supplied `filename` parameter, base64-decodes it, and passes it directly to `send_from_directory()` without validating that the resulting path stays within an allowed directory [ref_id=1].
What the fix does
No patch is present in the bundle. The advisory recommends restricting the `filename` and path parameters to a fixed whitelist of allowed values, which would prevent an attacker from supplying arbitrary paths outside the intended directory [ref_id=1].
Preconditions
- networkThe attacker must be able to reach the /DownFile endpoint over the network
- authNo authentication is required — the PoC uses a session cookie but the advisory lists CVSS PR:N (no privileges required)
- inputThe attacker supplies a base64-encoded filename parameter containing directory traversal sequences
Reproduction
curl -i -s -k -X $'GET' \ -H $'Host: 0.0.0.0:9001' -H $'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \ -b $'session=eyJwYXNzd29yZCI6IndlbnJ1aSIsInNlY2VjdExpc3QiOiJbXSIsInVzZXJuYW1lIjoiYWRtaW4ifQ.FC1IVA.B3HWw42zgF_CltmVq0wm0N64vYQ' \ $'http://0.0.0.0:9001/DownFile?filename=L2V0Yy9wYXNzd2Q='
This PoC from the advisory retrieves `/etc/passwd` by passing the base64-encoded path `L2V0Yy9wYXNzd2Q=` [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/cksgf/ServerManagement/issues/21mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.