CVE-2022-50890
Path Traversal in Owlfiles 12.0.1 HTTP Server Allows Directory Access
Publication date: 2026-01-13
Last updated on: 2026-01-13
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| skyjos | owlfiles_file_manager | 12.0.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2022-50890 is a path traversal vulnerability in Owlfiles File Manager version 12.0.1. It exists in the app's built-in HTTP server, which improperly handles file path inputs. Attackers can craft malicious GET requests containing directory traversal sequences (like '../../../../../../') to access restricted system directories and sensitive files on the device, such as system folders and configuration files. This happens because the server does not properly validate or restrict pathname access, allowing unauthorized browsing and file reading outside the intended root directory. [1, 4]
How can this vulnerability impact me? :
This vulnerability can allow attackers to access sensitive system directories and files on your device without authorization. They can retrieve critical configuration files, browse internal file structures, and potentially gain information that could be used for further attacks. Additionally, related vulnerabilities in the app's HTTP and FTP servers can expose system directories and enable execution of malicious scripts via cross-site scripting (XSS). Overall, it poses significant security risks by exposing private data and system information to attackers remotely over the network. [1, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending crafted GET requests to the Owlfiles File Manager's built-in HTTP server to check for directory traversal. For example, sending a GET request like `GET /../../../../../../../../../../../../../../../System/ HTTP/1.1` and observing if it returns directory listings of sensitive system folders indicates the vulnerability. Similarly, requesting files such as `GET /../../../../../../../../../../../../../../../etc/hosts HTTP/1.1` can confirm unauthorized file access. On the FTP server, commands like `cd ../../../../../../../../../` followed by `ls` can be used to check if directory traversal is possible outside the FTP root. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate steps to mitigate this vulnerability include disabling or restricting access to the built-in HTTP and FTP servers of Owlfiles File Manager 12.0.1 to prevent exploitation via crafted GET requests or FTP commands. Additionally, avoid exposing the application to untrusted networks until a patch or update addressing the path traversal and related vulnerabilities is applied. Monitoring network traffic for suspicious directory traversal attempts and applying any available security updates from the developer are also recommended. [1, 4]