CVE-2019-14924

{"id": "CVE-2019-14924", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2019-08-10T19:15:10.920", "references": [{"url": "https://github.com/swisspol/GCDWebServer/commit/02738433bf2e1b820ef48f04edd15df304081802", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/swisspol/GCDWebServer/compare/3.5.2...3.5.3", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/swisspol/GCDWebServer/issues/433", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in GCDWebServer before 3.5.3. The method moveItem in the GCDWebUploader class checks the FileExtension of newAbsolutePath but not oldAbsolutePath. By leveraging this vulnerability, an adversary can make an inaccessible file be available (the credential of the app, for instance)."}, {"lang": "es", "value": "Se detect\u00f3 un problema en GCDWebServer anterior a versi\u00f3n 3.5.3. El m\u00e9todo moveItem en la clase GCDWebUploader comprueba la FileExtension de newAbsolutePath pero no de oldAbsolutePath. Mediante el aprovechamiento de esta vulnerabilidad, un adversario puede hacer que un archivo inaccesible est\u00e9 disponible (la credencial de la aplicaci\u00f3n, por ejemplo)."}], "lastModified": "2021-07-21T11:39:23.747", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gcdwebserver_project:gcdwebserver:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4F2F760D-95AB-48E1-9F40-143CB1CCB104", "versionEndExcluding": "3.5.3"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}