Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1mZ3F2LTk2djktdzIzbc4AActG

Radicale vulnerable to arbitrary file read or write

The multifilesystem storage backend in Radicale before 1.1 allows remote attackers to read or write to arbitrary files via a crafted component name.

Permalink: https://github.com/advisories/GHSA-fgqv-96v9-w23m
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mZ3F2LTk2djktdzIzbc4AActG
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 2 years ago
Updated: 3 months ago

CVSS Score: 10.0
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

EPSS Percentage: 0.00514
EPSS Percentile: 0.76979

Identifiers: GHSA-fgqv-96v9-w23m, CVE-2015-8747
References:

• https://nvd.nist.gov/vuln/detail/CVE-2015-8747
• https://github.com/Kozea/Radicale/pull/343
• https://github.com/Unrud/Radicale/commit/bcaf452e516c02c9bed584a73736431c5e8831f1
• http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175738.html
• http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175776.html
• http://www.debian.org/security/2016/dsa-3462
• http://www.openwall.com/lists/oss-security/2016/01/05/7
• http://www.openwall.com/lists/oss-security/2016/01/06/4
• http://www.openwall.com/lists/oss-security/2016/01/06/7
• https://github.com/Kozea/Radicale/commit/18c88642fb19ee1480690e51fff9605ecc6fdab5
• https://web.archive.org/web/20200804235922/http://www.securityfocus.com/bid/80255
• https://github.com/pypa/advisory-database/tree/main/vulns/radicale/PYSEC-2016-36.yaml
• https://github.com/advisories/GHSA-fgqv-96v9-w23m

Repository: https://github.com/Kozea/Radicale
Blast Radius: 14.8

Affected Packages