Lucene search

[email protected]NVD:CVE-2019-13915

HistoryJul 18, 2019 - 3:15 p.m.

CVE-2019-13915

2019-07-1815:15:11

CWE-59

CWE-74

[email protected]

web.nvd.nist.gov

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.004

Percentile

74.1%

JSON

b3log Wide before 1.6.0 allows three types of attacks to access arbitrary files. First, the attacker can write code in the editor, and compile and run it approximately three times to read an arbitrary file. Second, the attacker can create a symlink, and then place the symlink into a ZIP archive. An unzip operation leads to read access, and write access (depending on file permissions), to the symlink target. Third, the attacker can import a Git repository that contains a symlink, similarly leading to read and write access.

Affected configurations

Nvd

Node

b3logwideRange<1.6.0

VendorProductVersionCPE
b3logwide*cpe:2.3:a:b3log:wide:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
b3log	wide	*	cpe:2.3:a:b3log:wide::::::::

References

github.com/b3log/wide/issues/355

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.004

Percentile

74.1%

JSON

Related for NVD:CVE-2019-13915

prion1 cve1 osv2 cvelist1 github1 veracode1