CVE-2018-13864

{"id": "CVE-2018-13864", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2018-07-17T12:29:00.230", "references": [{"url": "https://www.playframework.com/security/vulnerability/CVE-2018-13864-PathTraversal", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.playframework.com/security/vulnerability/CVE-2018-13864-PathTraversal", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "A directory traversal vulnerability has been found in the Assets controller in Play Framework 2.6.12 through 2.6.15 (fixed in 2.6.16) when running on Windows. It allows a remote attacker to download arbitrary files from the target server via specially crafted HTTP requests."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad de salto de directorio en el controlador Assets en Play Framework desde la versi\u00f3n 2.6.12 hasta la 2.6.15 (solucionado en la 2.6.16) al ejecutarse en Windows. Permite que un atacante remoto descargue archivos arbitrarios desde el servidor objetivo mediante peticiones HTTP especialmente manipuladas."}], "lastModified": "2024-11-21T03:48:12.683", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lightbend:play_framework:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "36492730-56EC-4847-BF13-6D234A803368", "versionEndIncluding": "2.6.15", "versionStartIncluding": "2.6.12"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}