CVE-2019-17538 — AI Deep Analysis Summary

🚨 **Essence**: A Path Traversal vulnerability in Jiangnan Online Judge (JNOJ). 📉 **Consequences**: Attackers can access files outside the restricted directory, potentially exposing sensitive system data or source code.

🛡️ **Root Cause**: Improper input validation. The system fails to filter special elements in file paths. 🐛 **CWE**: Implicitly related to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).

🎯 **Affected Product**: Jiangnan Online Judge (JNOJ). 📦 **Version**: Specifically **0.8.0**. 🏢 **Vendor**: Not specified (n/a).

💻 **Capabilities**: Local File Inclusion (LFI). 📂 **Impact**: Read arbitrary files from the server. ⚠️ **Risk**: Expose configuration files, source code, or sensitive user data located outside the web root.

🔓 **Threshold**: Low. 🌐 **Access**: Likely requires no authentication for the specific endpoint `/web/polygon/problem/viewfile`.…

🔍 **Exploit**: Yes. Public PoC available via Nuclei templates. 📝 **Payload Example**: `web/polygon/problem/viewfile?id=1&name=../.` 🌍 **Status**: Template exists in projectdiscovery/nuclei-templates.

🔎 **Check**: Scan for the endpoint `/web/polygon/problem/viewfile`. 🧪 **Test**: Inject `../` in the `name` parameter. 👀 **Indicator**: If the server returns content from outside the expected directory, it is vulnerable.

🔧 **Fix**: Upgrade to a patched version (if available). 📅 **Published**: Oct 13, 2019. 📌 **Note**: The data does not specify a fixed version number, only the vulnerable one (0.8.0).

🚫 **Workaround**: Restrict web server access to the `/web/polygon/problem/` directory. 🛑 **Mitigation**: Implement strict allow-listing for file names and block `../` sequences at the WAF or application level.

⚡ **Priority**: Medium-High. 📉 **CVSS**: Not provided, but LFI is critical. 🚨 **Action**: Immediate verification required for any running JNOJ 0.8.0 instances. Patch or isolate immediately.