CVE-2023-34096
- Source
- https://cve.org/CVERecord?id=CVE-2023-34096
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-34096.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-34096
- Aliases
-
- GHSA-vhqc-649h-994h
- Published
- 2023-06-08T18:59:51.787Z
- Modified
- 2026-04-10T04:59:34.205931Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- Thruk has Path Traversal Vulnerability in panorama.pm
- Details
-
Thruk is a multibackend monitoring webinterface which currently supports Naemon, Icinga, Shinken and Nagios as backends. In versions 3.06 and prior, the file
panorama.pmis vulnerable to a Path Traversal vulnerability which allows an attacker to upload a file to any folder which has write permissions on the affected system. The parameter location is not filtered, validated or sanitized and it accepts any kind of characters. For a path traversal attack, the only characters required were the dot (.) and the slash (/). A fix is available in version 3.06.2. - Database specific
{ "cwe_ids": [ "CWE-22" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/34xxx/CVE-2023-34096.json", "cna_assigner": "GitHub_M" }- References
-
- http://packetstormsecurity.com/files/172822/Thruk-Monitoring-Web-Interface-3.06-Path-Traversal.html
- https://github.com/sni/Thruk/blob/1bc5a5804bf9fc22e82a4eadb21a1795954f0867/plugins/plugins-available/panorama/lib/Thruk/Controller/panorama.pm#L690
- https://github.com/sni/Thruk/blob/1bc5a5804bf9fc22e82a4eadb21a1795954f0867/plugins/plugins-available/panorama/lib/Thruk/Controller/panorama.pm#L705
- https://github.com/sni/Thruk/blob/1bc5a5804bf9fc22e82a4eadb21a1795954f0867/plugins/plugins-available/panorama/lib/Thruk/Controller/panorama.pm#L727
- https://github.com/sni/Thruk/blob/1bc5a5804bf9fc22e82a4eadb21a1795954f0867/plugins/plugins-available/panorama/lib/Thruk/Controller/panorama.pm#L735
- https://www.exploit-db.com/exploits/51509
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/34xxx/CVE-2023-34096.json
- https://github.com/sni/Thruk/security/advisories/GHSA-vhqc-649h-994h
- https://nvd.nist.gov/vuln/detail/CVE-2023-34096
- https://github.com/sni/Thruk/commit/26de047275c355c5ae2bbbc51b164f0f8bef5c5b
- https://github.com/sni/Thruk/commit/cf03f67621b7bb20e2c768bc62b30e976206aa17
- https://github.com/galoget/Thruk-CVE-2023-34096
- https://galogetlatorre.blogspot.com/2023/06/cve-2023-34096-path-traversal-thruk.html
Affected packages
Git / github.com/sni/Thruk
Affected ranges
- Type
- GIT
- Repo
- https://github.com/sni/Thruk
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Database specific
{ "versions": [ { "introduced": "0" }, { "fixed": "3.06.2" } ] }
- Type
- GIT
- Repo
- https://github.com/sni/thruk
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
Affected versions
0.*
0.20
v0.*
v0.20
v0.21_1
v0.27_1
v0.27_2
v0.32
v0.46
v0.48
v0.50
v0.60
v0.66
v0.70
v0.70.1
v0.72
v0.72.2
v0.74
v0.76
v1.*
v1.0.4
v1.0.5
v1.0.6
v1.0.7
v1.0.9
v1.1.0
v1.1.1
v1.1.2
v1.1.3
v1.1.4
v1.1.5
v1.1.6
v1.1.7
v1.18
v1.20
v1.22
v1.24
v1.26
v1.28
v1.30
v1.32
v1.34
v1.36
v1.38
v1.40
v1.42
v1.44
v1.46
v1.50
v1.52
v1.54
v1.56
v1.58
v1.60
v1.60-2
v1.62
v1.64
v1.64-2
v1.66
v1.66-2
v1.68
v1.70
v1.70-2
v1.70-3
v1.70-4
v1.72
v1.74
v1.74-2
v1.76
v1.76-2
v1.76-3
v1.78
v1.78-2
v1.78-3
v1.80
v1.80-2
v1.80-3
v1.82
v1.82-2
v1.84
v1.84-2
v1.84-3
v1.84-4
v1.84-5
v1.84-6
v1.86
v1.86-2
v1.86-3
v1.86-4
v1.88
v1.88-2
v1.88-3
v1.88-4
v2.*
v2.00
v2.00-2
v2.02
v2.04
v2.06
v2.08
v2.10
v2.10-2
v2.12
v2.12-2
v2.12-3
v2.14
v2.14-2
v2.16
v2.16-2
v2.18
v2.20
v2.20-2
v2.22
v2.24
v2.24-2
v2.26
v2.26-2
v2.28
v2.30
v2.32
v2.32-2
v2.34
v2.34-2
v2.34-3
v2.36
v2.38
v2.38-2
v2.40
v2.40-2
v2.42
v2.42-2
v2.44
v2.44-2
v2.44-3
v2.44.3
v2.46
v2.46.2
v2.46.3
v2.48
v2.48.2
v3.*
v3.00
v3.00-alpha
v3.02
v3.04
v3.06