CVE-2008-6508

2009-03-2320:00:00

CWE-22

[email protected]

web.nvd.nist.gov

In Wild

cve-2008-6508

directory traversal

authcheck filter

admin console

openfire 3.6.0a

security vulnerability

7.4 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.665 Medium

EPSS

Percentile

97.9%

JSON

Directory traversal vulnerability in the AuthCheck filter in the Admin Console in Openfire 3.6.0a and earlier allows remote attackers to bypass authentication and access the admin interface via a … (dot dot) in a URI that matches the Exclude-Strings list, as demonstrated by a /setup/setup-/… sequence in a URI.

CPENameOperatorVersion
igniterealtime:openfireigniterealtime openfireeq3.2.2
igniterealtime:openfireigniterealtime openfirele3.6.0a
igniterealtime:openfireigniterealtime openfireeq3.0.0
igniterealtime:openfireigniterealtime openfireeq3.0.1
igniterealtime:openfireigniterealtime openfireeq3.2.1
igniterealtime:openfireigniterealtime openfireeq3.4.4
igniterealtime:openfireigniterealtime openfireeq3.1.0
igniterealtime:openfireigniterealtime openfireeq3.4.0
igniterealtime:openfireigniterealtime openfireeq3.6.0
igniterealtime:openfireigniterealtime openfireeq3.2.3

CPE	Name	Operator	Version
igniterealtime:openfire	igniterealtime openfire	eq	3.2.2
igniterealtime:openfire	igniterealtime openfire	le	3.6.0a
igniterealtime:openfire	igniterealtime openfire	eq	3.0.0
igniterealtime:openfire	igniterealtime openfire	eq	3.0.1
igniterealtime:openfire	igniterealtime openfire	eq	3.2.1
igniterealtime:openfire	igniterealtime openfire	eq	3.4.4
igniterealtime:openfire	igniterealtime openfire	eq	3.1.0
igniterealtime:openfire	igniterealtime openfire	eq	3.4.0
igniterealtime:openfire	igniterealtime openfire	eq	3.6.0
igniterealtime:openfire	igniterealtime openfire	eq	3.2.3