CVE-2019-12479

{"id": "CVE-2019-12479", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.4, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2019-08-13T21:15:11.347", "references": [{"url": "https://security401.com/twentytwenty-storage-path-traversal/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in 20|20 Storage 2.11.0. A Path Traversal vulnerability in the TwentyTwenty.Storage library in the LocalStorageProvider allows creating and reading files outside of the specified basepath. If the application using this library does not sanitize user-supplied filenames, then this issue may be exploited to read or write arbitrary files. This affects LocalStorageProvider.cs."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en 20|20 Storage 2.11.0. Una vulnerabilidad de Ruta transversal en la biblioteca TwentyTwenty.Storage en LocalStorageProvider permite crear y leer archivos fuera de la ruta base especificada. Si la aplicaci\u00f3n que usa esta biblioteca no desinfecta los nombres de archivo proporcionados por el usuario, entonces este problema puede explotarse para leer o escribir archivos arbitrarios. Esto afecta a LocalStorageProvider.cs."}], "lastModified": "2019-08-21T18:40:28.907", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:twentytwenty.storage_project:twentytwenty.storage:2.11.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "49BE1167-5CE8-4983-A46F-0F9F7155FE4B"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}