CVE-2021-47755
Published: 15 January 2026
Summary
CVE-2021-47755 is a high-severity Path Traversal (CWE-22) vulnerability in Softlinkint Oliver V5 Library. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 49.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
Oliver Library Server v5 is affected by CVE-2021-47755, a file download vulnerability arising from unsanitized input in the FileServlet endpoint. This CWE-22 (path traversal) flaw enables attackers to manipulate the 'fileName' parameter to access arbitrary system files on the server's filesystem. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting its high confidentiality impact.
Unauthenticated remote attackers can exploit this issue with low attack complexity and no user interaction or privileges required. By crafting malicious requests to the FileServlet, they can download sensitive system files, potentially exposing configuration data, credentials, or other critical information without impacting integrity or availability.
References point to a proof-of-concept exploit on Exploit-DB (ID 50599) and the vendor product page for Oliver Library Server at Softlink International. No specific mitigation or patch guidance is detailed in these sources.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2777
Vulnerability details
Oliver Library Server v5 contains a file download vulnerability that allows unauthenticated attackers to access arbitrary system files through unsanitized input in the FileServlet endpoint. Attackers can exploit the vulnerability by manipulating the 'fileName' parameter to download sensitive files from…
more
the server's filesystem.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing FileServlet enables remote arbitrary file read (T1005) exposing credentials/configs (T1552.001) via exploitation of the web app (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly validates unsanitized inputs like the 'fileName' parameter in FileServlet to prevent path traversal and arbitrary file access.
Enforces approved authorizations to block unauthenticated access to arbitrary system files via the vulnerable endpoint.
Filters outputs from file download requests to restrict transmission of sensitive system file contents.