Incorrect permission settings on a critical resource in Suprema BioStar 2 (versions 2.9.3 through 2.9.11) that allow backup files to be publicly exposed when the administrator configures their path within the NGINX webroot. This vulnerability allows an attacker with network access to directly download backup ZIP files via ‘http(s)://[server]/download/…’ without requiring authentication. This exposes highly sensitive information that can lead to server impersonation, unauthorized access to databases, and lateral movement.
When a BioStar 2 system administrator configures the backup file path inside the NGINX server's root directory (webroot), these files become publicly accessible via HTTP/HTTPS. Incorrect permissions on this critical resource (CWE-732) do not enforce any access control or authentication. An attacker can directly download the backup ZIP archive by sending an HTTP(S) request to the address 'http(s)://[server]/download/…' without providing any authentication credentials.
An attacker can download backup files containing highly sensitive data, which may lead to server impersonation, unauthorized database access, and lateral movement within the victim's network.
Apply patches available from the manufacturer in accordance with the references provided. Until an update is applied, it is recommended to move the backup file storage path outside the NGINX server's webroot directory and verify access permissions for directories containing backups.
Suprema BioStar 2 versions 2.9.3 to 2.9.11 (inclusive), when the backup path is configured in the NGINX server's webroot directory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X