Lucene search

[email protected]CVE-2005-4852

HistoryOct 03, 2022 - 4:22 p.m.

CVE-2005-4852

2022-10-0316:22:46

CWE-264

[email protected]

web.nvd.nist.gov

ez publish

uri matching

access restrictions

cve-2005-4852

vulnerability

security

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

6.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

48.2%

JSON

The siteaccess URIMatching implementation in eZ publish 3.5 through 3.8 before 20050812 converts all non-alphanumeric characters in a URI to ‘_’ (underscore), which allows remote attackers to bypass access restrictions by inserting certain characters in a URI, as demonstrated by a request for /admin:de, which matches a rule allowing only /admin_de to access /admin.

Affected configurations

NVD

Node

ezez_publishRange3.5.0–3.5.8

CPENameOperatorVersion
ez:ez_publishez ez publishlt3.5.8

CPE	Name	Operator	Version
ez:ez_publish	ez ez publish	lt	3.5.8

References

ez.no/download/ez_publish/changelogs/ez_publish_3_8/changelog_3_6_x_3_7_x_to_3_8_0

issues.ez.no/7025

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

6.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

48.2%

JSON

Related for CVE-2005-4852

ubuntucve1 nvd1 cvelist1