CVE-2020-37041 Overview
OpenCTI 3.3.1 contains a critical directory traversal vulnerability in the static/css endpoint that allows unauthenticated attackers to read arbitrary files from the filesystem. By sending crafted GET requests with path traversal sequences (e.g., ../) in the URL, attackers can escape the intended directory and access sensitive system files. This vulnerability affects OpenCTI installations on both Linux and Windows operating systems, exposing configuration files, credentials, and other sensitive data to unauthorized access.
Critical Impact
Unauthenticated attackers can read arbitrary files including /etc/passwd, configuration files, and potentially sensitive credentials stored on the server filesystem.
Affected Products
- OpenCTI version 3.3.1
- Linux-based OpenCTI deployments (confirmed on Linux Mint)
- Windows-based OpenCTI deployments (confirmed on Windows 10)
Discovery Timeline
- Discovered by - Raif Berkay Dincel
- 2026-01-30 - CVE-2020-37041 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2020-37041
Vulnerability Analysis
This directory traversal vulnerability (CWE-22) exists due to improper input validation in the static/css endpoint of OpenCTI 3.3.1. The application fails to properly sanitize user-supplied input containing path traversal sequences before using it to construct file paths. When the server receives a request containing ../ sequences, it does not adequately filter or neutralize these characters, allowing the request to traverse outside the intended web root directory.
The vulnerability is network-accessible and requires no authentication to exploit, making it particularly dangerous for internet-facing OpenCTI deployments. An attacker can leverage this flaw to read any file that the web server process has permissions to access, potentially exposing sensitive configuration data, database credentials, API keys, and system files.
Root Cause
The root cause is insufficient input validation and sanitization in the URL path handling logic for the static/css endpoint. The application does not properly validate that the requested file path stays within the intended directory boundary. When path traversal sequences like ../ are included in the request URL, the server resolves these sequences and accesses files outside the designated static assets directory.
Attack Vector
The attack exploits the network-accessible static/css endpoint through simple HTTP GET requests. An unauthenticated attacker constructs a malicious URL containing multiple ../ sequences to traverse up the directory tree and then specifies the target file path. For example, a request to /static/css//../../../../../../../../etc/passwd would traverse out of the CSS directory and return the contents of the system's password file.
The attack requires no user interaction, no authentication, and can be executed remotely over the network. The attacker only needs network access to the OpenCTI instance. On Windows systems, similar techniques can be used to access files like C:\Windows\System32\config\SAM or application configuration files.
Detection Methods for CVE-2020-37041
Indicators of Compromise
- HTTP requests to /static/css/ containing ../ or ..%2F (URL-encoded) path traversal sequences
- Web server access logs showing requests attempting to access system files like /etc/passwd, /etc/shadow, or Windows system files
- Unusual GET requests to the static/css endpoint with abnormally long URL paths
- Multiple failed or successful file access attempts from the same source IP targeting the static assets endpoint
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing path traversal patterns (../, ..%2F, ..\\, ..%5C)
- Configure SIEM alerts for HTTP requests matching directory traversal patterns in URL paths
- Monitor web server logs for requests to the static/css endpoint containing encoded or decoded traversal sequences
- Deploy intrusion detection system (IDS) signatures to identify OpenCTI directory traversal exploitation attempts
Monitoring Recommendations
- Enable verbose logging on the OpenCTI web server to capture full request URLs and response codes
- Implement real-time log analysis to detect patterns indicative of file enumeration or system file access attempts
- Monitor for unusual file system access patterns from the OpenCTI process, especially reads of files outside the application directory
- Set up alerting for any successful responses (HTTP 200) to requests containing path traversal indicators
How to Mitigate CVE-2020-37041
Immediate Actions Required
- Upgrade OpenCTI to a version newer than 3.3.1 that addresses this vulnerability
- Implement network segmentation to limit access to the OpenCTI instance to trusted networks only
- Deploy a web application firewall (WAF) with rules to block path traversal attempts
- Review web server access logs for evidence of exploitation and potential data exposure
- If upgrading is not immediately possible, restrict network access to OpenCTI using firewall rules
Patch Information
Users should upgrade to a patched version of OpenCTI that properly validates and sanitizes file path input. Consult the OpenCTI Platform Repository for the latest releases and security updates. Additional technical details about this vulnerability can be found at Exploit-DB #48595 and the VulnCheck Advisory for OpenCTI.
Workarounds
- Deploy a reverse proxy (such as nginx or Apache) in front of OpenCTI configured to reject requests containing path traversal sequences
- Implement URL rewriting rules to strip or block ../ patterns before requests reach the OpenCTI application
- Use operating system-level access controls to restrict the OpenCTI process's file system permissions to only necessary directories
- Place OpenCTI behind a VPN or require authentication at the network level to limit exposure to trusted users
# Example nginx configuration to block path traversal attempts
location /static/ {
# Block requests containing path traversal sequences
if ($request_uri ~* "\.\.") {
return 403;
}
# Serve static files from a defined directory
alias /var/www/opencti/static/;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
