CVE-2020-5720: 
NixOS vulnerability analysis and mitigation

MikroTik WinBox before version 3.21 was discovered to contain a path traversal vulnerability (CVE-2020-5720). The vulnerability was disclosed on February 6, 2020, affecting all versions of WinBox prior to 3.21. This security flaw allows attackers to create arbitrary files anywhere on the system where WinBox has write permissions (Tenable Advisory, NVD).

The vulnerability occurs when WinBox connects to a router and downloads the list file from /home/web/webfig/. This file contains a list of files that WinBox should download for package descriptions. The application stores these files in the MikroTik roaming directory (C:\Users[username]\AppData\Roaming\Mikrotik\Winbox) without performing any directory traversal checks on the filenames. The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N (Tenable Advisory).

If exploited, this vulnerability allows attackers to write files to arbitrary locations on the system where WinBox has write permissions. This could potentially lead to system compromise or unauthorized file manipulation (Tenable Advisory).

The vulnerability was patched in WinBox version 3.21. Users are advised to upgrade to this version or later to mitigate the risk (Tenable Advisory).