CVE-2021-38146

HIGH NUCLEI

Wipro Holmes Orchestrator <20.4.1 - Path Traversal

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-38146. PoCs published by halilkirazkaya. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains a functional proof-of-concept for CVE-2021-38146, demonstrating an arbitrary file read vulnerability in Wipro Holmes Orchestrator via path traversal in the File Download API. The PoC includes a crafted JSON payload targeting the /home/download endpoint to read arbitrary files.

Description

The File Download API in Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to read arbitrary files via absolute path traversal in the SearchString JSON field in /home/download POST data.

Exploits (1)

github WORKING POC 4 stars
by halilkirazkaya · poc
https://github.com/halilkirazkaya/cve-poc-garage/tree/main/2021/CVE-2021-38146.md

The repository contains a functional proof-of-concept for CVE-2021-38146, demonstrating an arbitrary file read vulnerability in Wipro Holmes Orchestrator via path traversal in the File Download API. The PoC includes a crafted JSON payload targeting the /home/download endpoint to read arbitrary files.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020)
No auth needed
Prerequisites: network access to the target system
devstral-2 · analyzed Feb 27, 2026 Full analysis →

Nuclei Templates (1)

Wipro Holmes Orchestrator 20.4.1 - Arbitrary File Download
HIGHby s4e-io
FOFA: title="Wipro Holmes Orchestrator"

References (2)

Core 2
Core References
Product x_refsource_misc
https://www.wipro.com/holmes/

Scores

CVSS v3 7.5
EPSS 0.1173
EPSS Percentile 95.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-22
Status published
Products (1)
wipro/holmes 20.4.1
Published Nov 22, 2021
Tracked Since Feb 18, 2026