CVE-2018-10057 — MEDIUM (6.5)

Vulnerability Description

The remote management interface of cgminer 4.10.0 and bfgminer 5.5.0 allows an authenticated remote attacker to write the miner configuration file to arbitrary locations on the server due to missing basedir restrictions (absolute directory traversal).

CVSS Score

6.5

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Bfgminer	Bfgminer	5.5.0
Cgminer Project	Cgminer	4.10.0

Related Weaknesses (CWE)

CWE-22

References

http://www.openwall.com/lists/oss-security/2018/06/03/1Mailing ListThird Party Advisory
https://github.com/tintinweb/pub/tree/master/pocs/cve-2018-10057ExploitThird Party Advisory
http://www.openwall.com/lists/oss-security/2018/06/03/1Mailing ListThird Party Advisory
https://github.com/tintinweb/pub/tree/master/pocs/cve-2018-10057ExploitThird Party Advisory

FAQ

What is CVE-2018-10057?

CVE-2018-10057 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The remote management interface of cgminer 4.10.0 and bfgminer 5.5.0 allows an authenticated remote attacker to write the miner configuration file to arbitrary locations on the server due to missing b...

How severe is CVE-2018-10057?

CVE-2018-10057 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-10057?

Check the references section above for vendor advisories and patch information. Affected products include: Bfgminer Bfgminer, Cgminer Project Cgminer.