CVE-2020-35191 PoC — Docker Images Official Drupal 访问控制错误漏洞

Source

https://github.com/megadimenex/MegaHiDocker

Associated Vulnerability

Title:Docker Images Official Drupal 访问控制错误漏洞 (CVE-2020-35191)
Description:Docker是美国Docker公司的一款开源的应用容器引擎。该产品支持在Linux系统上创建一个容器（轻量级虚拟机）并部署和运行应用程序，以及通过配置文件实现应用程序的自动化安装、部署和升级。 official drupal docker images 8.5.10-fpm-alpine之前版本存在安全漏洞，该漏洞源于包含根用户的空密码。使用受docker映像影响版本部署的drupal docker容器的系统，可能允许远程攻击者可利用该漏洞使用空白密码实现根访问。

Description

This project is exploit for some docker containers with similar to vulnerability code: CVE-2020-35191

Readme

# MegaHiDocker
This project will be exploited for some docker containers with similar vulnerability code: CVE-2020-35191, but this time on other containers.

# => Please read the Description.txt file


# Requirement:

1.Need to Install docker in your Linux AND Install subprocess module for python 3.X.

2.You need pull the your containers and next run this code(e.g: docker pull <your container>)
  
  
# The Impact Of Vulnerability:
  
1.CVSS: 9.8 Critical
  
2.Impact Code execution: True
  
3.Impact Denial of Service: True
  
4.Impact of Privilege Escalation: True
  
5.Impact Information Disclosur: True
  
6.Affected Component: /etc/shadow
  
# Impact on Software: 
solr
  
kasmweb/core-nvidia-focal
  
bitnami/phppgadmin
  
bitnami/cassandra
  
bitnami/prometheus
  
bitnami/alertmanager
  
bitnami/geode

File Snapshot


 [4.0K]  /data/pocs/6cb0c440ee36b9ad9a6cd7ec33ec7cd78bf39073
├── [3.5K]  Description.txt
├── [1.0K]  LICENSE
├── [5.4K]  MegaHiDocker.py
└── [ 816]  README.md

0 directories, 4 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!