Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02NDUyLWpyOTMtcjVxbc4AAhV6
b3log Wide unauthenticated file access
b3log Wide before 1.6.0 allows three types of attacks to access arbitrary files. First, the attacker can write code in the editor, and compile and run it approximately three times to read an arbitrary file. Second, the attacker can create a symlink, and then place the symlink into a ZIP archive. An unzip operation leads to read access, and write access (depending on file permissions), to the symlink target. Third, the attacker can import a Git repository that contains a symlink, similarly leading to read and write access.
Permalink: https://github.com/advisories/GHSA-6452-jr93-r5qmJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02NDUyLWpyOTMtcjVxbc4AAhV6
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 8 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-6452-jr93-r5qm, CVE-2019-13915
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-13915
- https://github.com/b3log/wide/issues/355
- https://sca.analysiscenter.veracode.com/vulnerability-database/security/arbitrary-file-reads-and-writes/go/sid-20862
- https://web.archive.org/web/20190522035724/https://github.com/b3log/wide
- https://github.com/advisories/GHSA-6452-jr93-r5qm
Blast Radius: 0.0
Affected Packages
go:github.com/b3log/wide
Dependent packages: 0Dependent repositories: 1
Downloads:
Affected Version Ranges: < 1.6.0
Fixed in: 1.6.0
All affected versions:
All unaffected versions: 1.6.0