Lucene search

GitHub_MCVELIST:CVE-2023-46237

HistoryOct 31, 2023 - 2:59 p.m.

CVE-2023-46237 FOG path traversal via unauthenticated endpoint

2023-10-3114:59:37

CWE-22

GitHub_M

www.cve.org

fog

path traversal

vulnerability

patch

version 1.5.10

unauthenticated users

apache user group.

5.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

19.0%

JSON

FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Prior to version 1.5.10, an endpoint intended to offer limited enumeration abilities to authenticated users was accessible to unauthenticated users. This enabled unauthenticated users to discover files and their respective paths that were visible to the Apache user group. Version 1.5.10 contains a patch for this issue.

CNA Affected

[
  {
    "vendor": "FOGProject",
    "product": "fogproject",
    "versions": [
      {
        "version": "< 1.5.10",
        "status": "affected"
      }
    ]
  }
]

References

github.com/FOGProject/fogproject/commit/68d73740d7d40aee77cfda3fb8199d58bf04f48b

github.com/FOGProject/fogproject/security/advisories/GHSA-ffp9-rhfm-98c2

5.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

19.0%

JSON

Related for CVELIST:CVE-2023-46237