Description
Thruk is a multibackend monitoring webinterface. Prior to 3.12, the Thruk web monitoring application presents a vulnerability in a file upload form that allows a threat actor to arbitrarily upload files to the server to any path they desire and have permissions for. This vulnerability is known as Path Traversal or Directory Traversal. Version 3.12 fixes the issue.
References (2)
Core 2
Core References
Exploit, Patch, Vendor Advisory x_refsource_confirm
https://github.com/sni/Thruk/security/advisories/GHSA-4mrh-mx7x-rqjx
Patch x_refsource_misc
https://github.com/sni/Thruk/commit/1aa9597cdf2722a69651124f68cbb449be12cc39
Scores
CVSS v3
5.4
EPSS
0.0144
EPSS Percentile
69.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (1)
thruk/thruk
< 3.12
Published
Jan 29, 2024
Tracked Since
Feb 18, 2026