Description
The remote management interface of cgminer 4.10.0 and bfgminer 5.5.0 allows an authenticated remote attacker to write the miner configuration file to arbitrary locations on the server due to missing basedir restrictions (absolute directory traversal).
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/tintinweb/pub/tree/master/pocs/cve-2018-10057
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2018/06/03/1
Scores
CVSS v3
6.5
EPSS
0.0236
EPSS Percentile
81.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-22
Status
published
Products (2)
bfgminer/bfgminer
5.5.0
cgminer_project/cgminer
4.10.0
Published
Jun 05, 2018
Tracked Since
Feb 18, 2026