exploitDog

CVE-2020-16136

Опубликовано: 31 июл. 2020

Источник: nvd

CVSS3: 7.7

CVSS2: 6.8

EPSS Низкий

Описание

In tgstation-server 4.4.0 and 4.4.1, an authenticated user with permission to download logs can download any file on the server machine (accessible by the owner of the server process) via directory traversal ../ sequences in /Administration/Logs/ requests. The attacker is unable to enumerate files, however.

Ссылки

https://github.com/tgstation/tgstation-server
Third Party Advisory
https://github.com/tgstation/tgstation-server/security/advisories/GHSA-r8pp-42wr-2gc4
Third Party Advisory
https://github.com/tgstation/tgstation-server
Third Party Advisory
https://github.com/tgstation/tgstation-server/security/advisories/GHSA-r8pp-42wr-2gc4
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:tgstation13:tgstation-server:4.4.0:*:*:*:*:*:*:*

cpe:2.3:a:tgstation13:tgstation-server:4.4.1:*:*:*:*:*:*:*

EPSS

Процентиль: 81%

0.01578

Низкий

7.7 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-22

EPSS

Процентиль: 81%

0.01578

Низкий

7.7 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-22