CVE-2023-34096
Published: 08 June 2023
Summary
CVE-2023-34096 is a medium-severity Path Traversal (CWE-22) vulnerability in Thruk Thruk. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 2.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Thruk versions 3.06 and prior contain a path traversal vulnerability in the panorama.pm component of this multibackend monitoring web interface that supports Naemon, Icinga, Shinken, and Nagios. The flaw arises because the location parameter accepts unsanitized input containing dot and slash characters, allowing writes to any directory that has permissions on the underlying system. The issue carries a CVSS 3.1 score of 6.5 and is tracked as CWE-22.
An attacker with low-privileged network access and no user interaction required can exploit the weakness to upload arbitrary files to writable locations, resulting in high integrity impact while leaving confidentiality and availability unaffected.
Public references document the vulnerable code paths and confirm that version 3.06.2 contains the fix. Exploit artifacts, including a Packet Storm entry and GitHub proof-of-concept repositories, illustrate how the traversal can be triggered through the panorama controller.
The EPSS score remains flat at 0.4621 with no material rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-38204
Vulnerability details
Thruk is a multibackend monitoring webinterface which currently supports Naemon, Icinga, Shinken and Nagios as backends. In versions 3.06 and prior, the file `panorama.pm` is vulnerable to a Path Traversal vulnerability which allows an attacker to upload a file to…
more
any folder which has write permissions on the affected system. The parameter location is not filtered, validated or sanitized and it accepts any kind of characters. For a path traversal attack, the only characters required were the dot (`.`) and the slash (`/`). A fix is available in version 3.06.2.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.