Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWZwNjMtNDk5bS1ocTZt
Files or Directories Accessible to External Parties in ether/logs
Impact
A vulnerability was found that allowed authenticated admin users to access any file on the server.
Patches
The vulnerability has been fixed in 3.0.4.
Workarounds
We recommend disabling the plugin if untrustworthy sources have admin access.
For more information
If you have any questions or comments about this advisory:
- Open an issue in ether/logs
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWZwNjMtNDk5bS1ocTZt
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 3 years ago
Updated: over 1 year ago
CVSS Score: 7.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-fp63-499m-hq6m, CVE-2021-32752
References:
- https://github.com/ethercreative/logs/security/advisories/GHSA-fp63-499m-hq6m
- https://github.com/ethercreative/logs/commit/eb225cc78b1123a10ce2784790f232d71c2066c4
- https://github.com/ethercreative/logs/releases/tag/3.0.4
- https://nvd.nist.gov/vuln/detail/CVE-2021-32752
- https://github.com/advisories/GHSA-fp63-499m-hq6m
Blast Radius: 7.8
Affected Packages
packagist:ether/logs
Dependent packages: 4Dependent repositories: 12
Downloads: 226,909 total
Affected Version Ranges: < 3.0.4
Fixed in: 3.0.4
All affected versions: 3.0.0, 3.0.1, 3.0.2, 3.0.3
All unaffected versions: 3.0.4, 3.0.5, 3.0.6, 4.0.0