Thruk Incorrect limitation of a pathname to a restricted directory (Path Traversal) (CWE-22)
Description
Thruk prior to 3.12 allows arbitrary file upload via path traversal in the dashboard background upload form, enabling file overwrite, disk fill, or webshell.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Thruk prior to 3.12 allows arbitrary file upload via path traversal in the dashboard background upload form, enabling file overwrite, disk fill, or webshell.
Vulnerability
In Thruk versions before 3.12, the web monitoring application includes a file upload form for setting dashboard backgrounds. The form does not sanitize user-supplied folder paths, allowing path traversal sequences (e.g., ../). When a user is logged in, the upload function constructs the target path by concatenating a base usercontent_folder with the user-provided location parameter without validation. By manipulating the location to include ../ sequences, an attacker can direct the uploaded file to any directory for which the web server process has write permissions. The vulnerability is fixed in version 3.12 [1][2].
Exploitation
An attacker needs only a valid user account on the Thruk instance (any privilege level). After logging in, the attacker navigates to the dashboard background upload area, intercepts the request, and modifies the folder path parameter (e.g., to backgrounds/../../../../tmp/). The server then writes the uploaded file to the attacker-specified path, such as /tmp/ on a GNU/Linux system. No additional authentication or user interaction beyond the initial login is required [1].
Impact
Successful exploitation allows the attacker to arbitrarily write files to the server filesystem. This can lead to overwriting existing application resources (defacing the site), filling the disk (causing denial of service), or uploading a malicious script (e.g., a webshell) that permits remote command execution with the privileges of the web server process. The vulnerability primarily threatens integrity and availability, and can escalate to complete compromise [1].
Mitigation
The vulnerability is fixed in Thruk version 3.12, released on 2024-01-29. The patch [2] uses Cwd::abs_path to resolve the final path and checks that it remains within the intended usercontent_folder. For unpatched instances, ensure the web server user has minimal write permissions and monitor file upload logs for suspicious path sequences. No workaround other than upgrading is documented in the available references. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of publication [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing validation of user-supplied folder path allows directory traversal via `../` sequences in the file upload form."
Attack vector
An attacker with any valid user login can upload a file through the dashboard background upload form. By manipulating the folder path parameter to include traversal sequences such as `backgrounds/../../../../tmp/`, the attacker can write files to arbitrary directories on the server. This path traversal [CWE-22] allows overwriting existing files, filling disk space, or uploading a webshell for remote code execution [ref_id=1].
Affected code
The vulnerability exists in the `_task_upload` function within `plugins/plugins-available/panorama/lib/Thruk/Controller.pm`. The file upload form constructs a folder path by concatenating `usercontent_folder` with the user-supplied `$location` parameter without sanitizing path traversal sequences like `../`.
What the fix does
The patch [ref_id=2] resolves the vulnerability by resolving the user-supplied folder path to an absolute path using `Cwd::abs_path()` and then checking that the resulting path starts with the absolute path of the legitimate `usercontent_folder`. If the resolved path falls outside that directory, the upload is rejected with an error message. This prevents any directory traversal attempt from escaping the intended upload directory.
Preconditions
- authAttacker must have a valid user account on the Thruk web monitoring application
- inputAttacker must access the dashboard background file upload form
Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/sni/Thruk/commit/1aa9597cdf2722a69651124f68cbb449be12cc39mitrex_refsource_MISC
- github.com/sni/Thruk/security/advisories/GHSA-4mrh-mx7x-rqjxmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.