Thruk Monitoring Web Interface versions **<= v3.06** are vulnerable to **CVE-2023-34096 (Path Traversal)**.
The current exploit is made in Python 3 and exploits the vulnerability to upload a PoC file to multiple Thruk's common folders and also some Linux folders.
The CNA GitHub, Inc. assigned a CVSS 3.1 Score of **6.5 (Medium)** to this finding. ([Check NIST NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-34096))
## Vulnerability Summary
- **Assigned CVE:** CVE-2023-34096
- **CVE Author:** Galoget Latorre (@galoget)
- **Severity:** 6.5 Medium
- **Type:** Path Traversal
- **Product:** Thruk Monitoring Web Interface
- **Affected Versions:** All versions <= 3.06
- **Patched Version:** 3.06-2
- 2023-05-25: This vulnerability was identified by Galoget Latorre.
- 2023-06-02: Initial contact with maintainer via GitHub Security Advisory including vulnerability details and Proof of Concept (PoC).
- 2023-06-05: CVE-2023-34096 is assigned.
- 2023-06-06: Maintainer releases a patch with version 3.06-2, see [Thruk's Changelog](https://www.thruk.org/changelog.html#_v3-062).
- 2023-06-08: [GitHub Security Advisory](https://github.com/sni/Thruk/security/advisories/GHSA-vhqc-649h-994h) is released by maintainer.
- 2023-06-08: Security advisory ([author's blog post](https://galogetlatorre.blogspot.com/2023/06/cve-2023-34096-path-traversal-thruk.html)) is released by Galoget Latorre.
- 2023-06-08: Exploit PoC (this repository) is released by Galoget Latorre.
- 2023-06-09: Exploit PoC is shared by [Exploit Database (Exploit-DB)](https://www.exploit-db.com/exploits/51509).
- 2023-06-09: Exploit PoC is shared by [Packet Storm Security](https://packetstormsecurity.com/files/172822/Thruk-Monitoring-Web-Interface-3.06-Path-Traversal.html).
This security vulnerability was **identified** and **reported** to the maintainer (Thruk's Developers) by **Galoget Latorre**, **Security Consultant** at **Hackem Cybersecurity Research Group** and **Dreamlab Technologies**.
- CVE Author Blog: [https://galogetlatorre.blogspot.com/2023/06/cve-2023-34096-path-traversal-thruk.html](https://galogetlatorre.blogspot.com/2023/06/cve-2023-34096-path-traversal-thruk.html)
- GitHub Security Advisory: [https://github.com/sni/Thruk/security/advisories/GHSA-vhqc-649h-994h](https://github.com/sni/Thruk/security/advisories/GHSA-vhqc-649h-994h)
- Exploit Database (Exploit-DB): [https://www.exploit-db.com/exploits/51509](https://www.exploit-db.com/exploits/51509)
- Packet Storm Security: [https://packetstormsecurity.com/files/172822/Thruk-Monitoring-Web-Interface-3.06-Path-Traversal.html](https://packetstormsecurity.com/files/172822/Thruk-Monitoring-Web-Interface-3.06-Path-Traversal.html)
- NVD NIST: [https://nvd.nist.gov/vuln/detail/CVE-2023-34096](https://nvd.nist.gov/vuln/detail/CVE-2023-34096)
- MITRE: [https://vulners.com/cve/CVE-2023-34096](https://vulners.com/cve/CVE-2023-34096)
- Other Exploits (PoCs) authored by Galoget:
- Exploit Database (Exploit-DB): [https://www.exploit-db.com/?author=11838](https://www.exploit-db.com/?author=11838)
- Packet Storm Security: [https://packetstormsecurity.com/files/author/16617/](https://packetstormsecurity.com/files/author/16617/)
![CVE-2023-34096 exploit PoC](CVE-2023-34096-exploit-PoC.png "CVE-2023-34096 exploit PoC")
**Note:** In the previous image, you can see that the exploit is showing an error message for the last 3 attempts, this is because in the test environment some folders were non-existent or the Apache user did not have write permissions on those paths. The exploit works correctly and the output was intended to test all possible cases.