CVE-2022-38794

Vulnerability

Zaver through 2020-12-15 contains a directory traversal vulnerability in its HTTP server. By submitting a GET request with a URI containing /.. (e.g., GET /../../../etc/passwd), an attacker can bypass intended path restrictions and read arbitrary files outside the web root. The issue is documented in the project's issue tracker [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP GET request to the Zaver server with multiple ../ sequences after the initial slash. No authentication or prior access is required; the attacker only needs network connectivity to the server. The server fails to properly sanitize the path, allowing traversal.

Impact

Successful exploitation allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem with the privileges of the Zaver process. This can lead to disclosure of sensitive information such as application source code, configuration files with credentials, or system files.

Mitigation

No fixed version has been released; the project appears unmaintained since 2020-12-15. Users should either remove Zaver from production systems or restrict network access to the server (e.g., via firewall rules) to trusted hosts only. No workaround is available within the application itself.