CVE-2020-15239

{"id": "CVE-2020-15239", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.8}]}, "published": "2020-10-06T19:15:13.633", "references": [{"url": "https://github.com/horazont/xmpp-http-upload/commit/82056540191e89f0cd697c81f57714c00962ed75", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/horazont/xmpp-http-upload/pull/12", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/horazont/xmpp-http-upload/security/advisories/GHSA-hwv5-w8gm-fq9f", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://pypi.org/project/xmpp-http-upload/#history", "tags": ["Release Notes", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/horazont/xmpp-http-upload/commit/82056540191e89f0cd697c81f57714c00962ed75", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/horazont/xmpp-http-upload/pull/12", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/horazont/xmpp-http-upload/security/advisories/GHSA-hwv5-w8gm-fq9f", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://pypi.org/project/xmpp-http-upload/#history", "tags": ["Release Notes", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "In xmpp-http-upload before version 0.4.0, when the GET method is attacked, attackers can read files which have a `.data` suffix and which are accompanied by a JSON file with the `.meta` suffix. This can lead to Information Disclosure and in some shared-hosting scenarios also to circumvention of authentication or other limitations on the outbound (GET) traffic. For example, in a scenario where a single server has multiple instances of the application running (with separate DATA_ROOT settings), an attacker who has knowledge about the directory structure is able to read files from any other instance to which the process has read access. If instances have individual authentication (for example, HTTP authentication via a reverse proxy, source IP based filtering) or other restrictions (such as quotas), attackers may circumvent those limits in such a scenario by using the Directory Traversal to retrieve data from the other instances. If the associated XMPP server (or anyone knowing the SECRET_KEY) is malicious, they can write files outside the DATA_ROOT. The files which are written are constrained to have the `.meta` and the `.data` suffixes; the `.meta` file will contain the JSON with the Content-Type of the original request and the `.data` file will contain the payload. The issue is patched in version 0.4.0."}, {"lang": "es", "value": "En xmpp-http-upload anterior a la versi\u00f3n 0.4.0, cuando el m\u00e9todo GET es atacado, los atacantes pueden leer archivos que tienen un sufijo \".data\" y que est\u00e1n acompa\u00f1ados de un archivo JSON con el sufijo \".meta\". Esto puede conducir a una divulgaci\u00f3n de informaci\u00f3n y, en algunos escenarios de hosting compartido, tambi\u00e9n a una omisi\u00f3n de autenticaci\u00f3n u otras limitaciones en el tr\u00e1fico saliente (GET). Por ejemplo, en un escenario en el que un solo servidor posee varias instancias de la aplicaci\u00f3n en ejecuci\u00f3n (con configuraciones DATA_ROOT separadas), un atacante que tenga conocimiento sobre la estructura del directorio puede leer archivos de cualquier otra instancia a la que el proceso tenga acceso de lectura. Si las instancias tienen autenticaci\u00f3n individual (por ejemplo, autenticaci\u00f3n HTTP por medio de un proxy inverso, filtrado basado en IP de origen) u otras restricciones (como cuotas), los atacantes pueden omitir esos l\u00edmites en tal escenario usando un Salto de Directorio para recuperar datos de las otras instancias. Si el servidor XMPP asociado (o cualquier persona que conozca la SECRET_KEY) es malicioso, puede escribir archivos fuera de DATA_ROOT. Los archivos que se escriben est\u00e1n limitados a tener los sufijos \".meta\" y \".data\"; el archivo \".meta\" contendr\u00e1 el JSON con el tipo de contenido de la petici\u00f3n original y el archivo \".data\" contendr\u00e1 la carga \u00fatil. El problema est\u00e1 parcheado en la versi\u00f3n 0.4.0"}], "lastModified": "2024-11-21T05:05:09.893", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:xmpp-http-upload_project:xmpp-http-upload:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "103FED28-C896-42E2-8C47-863D84A841C3", "versionEndExcluding": "0.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}