CVE-2024-5433

The Campbell Scientific CSI Web Server contains a command that returns the most recent file matching a user-provided expression. Due to improper limitation of a pathname to a restricted directory (CWE-22), a specially crafted expression can trigger a path traversal, allowing access to files outside the intended web root [1].

The vulnerability can be exploited remotely over the network with low attack complexity. No authentication is required, as anonymous access is enabled by default. An attacker can send a crafted request to the server's command interface to traverse directories and retrieve arbitrary files [1].

Successful exploitation allows an attacker to download sensitive files from the server, including the file that stores web authentication credentials. Although the password file requires a specific name, if accessed, stored passwords are weakly encoded (CWE-261, CVE-2024-5434) and could be decoded, enabling further unauthorized access [1].

Affected versions include CSI Web Server 1.6 and prior, as well as RTMC Pro 5.0 and prior which incorporates the web server. Campbell Scientific has released updated versions to address the vulnerability; users are advised to upgrade to the latest software or follow the mitigations outlined in the ICSA-24-149-01 advisory [1].