Ubuntu.comUB:CVE-2016-3952CVE-2016-3952
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
73.6%
web2py before 2.14.1, when using the standalone version, allows remote
attackers to obtain environment variable values via a direct request to
examples/template_examples/beautify. NOTE: this issue can be leveraged by
remote attackers to gain administrative access.
References
devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/
github.com/web2py/web2py/commit/9706d125b42481178d2b423de245f5d2faadbf40
launchpad.net/bugs/cve/CVE-2016-3952
nvd.nist.gov/vuln/detail/CVE-2016-3952
security-tracker.debian.org/tracker/CVE-2016-3952
ubuntu.com/security/notices/USN-4030-1
www.cve.org/CVERecord?id=CVE-2016-3952
Related
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
73.6%