Cyber Resilience

CVE-2023-34096

MediumPublic PoC

Published: 08 June 2023

Published
08 June 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.3910 97.4th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-34096 is a medium-severity Path Traversal (CWE-22) vulnerability in Thruk Thruk. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 2.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Thruk versions 3.06 and prior contain a path traversal vulnerability in the panorama.pm component of this multibackend monitoring web interface that supports Naemon, Icinga, Shinken, and Nagios. The flaw arises because the location parameter accepts unsanitized input containing dot and slash characters, allowing writes to any directory that has permissions on the underlying system. The issue carries a CVSS 3.1 score of 6.5 and is tracked as CWE-22.

An attacker with low-privileged network access and no user interaction required can exploit the weakness to upload arbitrary files to writable locations, resulting in high integrity impact while leaving confidentiality and availability unaffected.

Public references document the vulnerable code paths and confirm that version 3.06.2 contains the fix. Exploit artifacts, including a Packet Storm entry and GitHub proof-of-concept repositories, illustrate how the traversal can be triggered through the panorama controller.

The EPSS score remains flat at 0.4621 with no material rise after disclosure.

EU & UK References

Vulnerability details

Thruk is a multibackend monitoring webinterface which currently supports Naemon, Icinga, Shinken and Nagios as backends. In versions 3.06 and prior, the file `panorama.pm` is vulnerable to a Path Traversal vulnerability which allows an attacker to upload a file to…

more

any folder which has write permissions on the affected system. The parameter location is not filtered, validated or sanitized and it accepts any kind of characters. For a path traversal attack, the only characters required were the dot (`.`) and the slash (`/`). A fix is available in version 3.06.2.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

thruk
thruk
≤ 3.06.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References