Fluid Attacks Database

Description

OpenCTI 3.3.1 is vulnerable to a directory traversal attack via the static/css endpoint. An unauthenticated attacker can read arbitrary files from the filesystem by sending crafted GET requests with path traversal sequences (e.g., '../') in the URL. For example, requesting /static/css//../../../../../../../../etc/passwd returns the contents of /etc/passwd. This vulnerability was discovered by Raif Berkay Dincel and confirmed on Linux Mint and Windows 10.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	pycti	=1.2.1 \|\| =1.2.11 \|\| =1.2.12 \|\| =1.2.13 \|\| =1.2.14 \|\| =1.2.15 \|\| =1.2.2 \|\| =1.2.4 \|\| =1.2.9 \|\| =2.0.0 \|\| =2.0.1 \|\| =2.0.2 \|\| =2.0.3 \|\| =2.1.10 \|\| =2.1.11 \|\| =2.1.12 \|\| =2.1.13 \|\| =2.1.3 \|\| =2.1.4 \|\| =2.1.5 \|\| =2.1.6 \|\| =2.1.7 \|\| =2.1.8 \|\| =2.1.9 \|\| =3.0.0 \|\| =3.0.1 \|\| =3.0.2 \|\| =3.0.3 \|\| =3.1.0 \|\| =3.1.1 \|\| =3.1.2 \|\| =3.2.0 \|\| =3.2.1 \|\| =3.2.2 \|\| =3.2.3 \|\| =3.2.4 \|\| =3.2.5 \|\| =3.2.6 \|\| =3.2.7 \|\| =3.3.0 \|\| =3.3.1 \|\| >=0 <=3.3.1	3.3.2

Aliases

1. CVE-2020-370412. NVD-2020-370413. OSV-PYSEC-2026-1144. OSV-2020-370415. GCVE-2020-370416. vulncheck.com

References

1. https://www.opencti.io/

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.