CVE-2015-3309

Опубликовано: 13 фев. 2020

Источник: nvd

CVSS3: 7.5

CVSS2: 5

EPSS Низкий

Описание

Directory traversal vulnerability in node/utils/Minify.js in Etherpad 1.1.2 through 1.5.4 allows remote attackers to read arbitrary files with permissions of the user running the service via a .. (dot dot) in the path parameter of HTTP API requests. NOTE: This vulnerability is due to an incomplete fix to CVE-2015-3297.

Ссылки

http://cve.killedkenny.io/cve/CVE-2015-3309
Third Party Advisory
http://www.openwall.com/lists/oss-security/2015/04/16/8
Mailing List
Third Party Advisory
https://github.com/ether/etherpad-lite/commit/0fa7650df8f940ed6b577d79836a78eb09726c4b
Third Party Advisory
http://cve.killedkenny.io/cve/CVE-2015-3309
Third Party Advisory
http://www.openwall.com/lists/oss-security/2015/04/16/8
Mailing List
Third Party Advisory
https://github.com/ether/etherpad-lite/commit/0fa7650df8f940ed6b577d79836a78eb09726c4b
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:etherpad:etherpad:*:*:*:*:*:*:*:*

Версия от 1.1.2 (включая) до 1.5.4 (включая)

EPSS

Процентиль: 62%

0.00433

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-22

Связанные уязвимости

CVE-2015-3309

CVSS3: 7.5

debian

почти 6 лет назад

Directory traversal vulnerability in node/utils/Minify.js in Etherpad ...

GHSA-fpgg-qjcj-58g7

github

больше 3 лет назад