Executive Summary
Summary | |
---|---|
Title | New trac package fixes upload/download vulnerability |
Informations | |||
---|---|---|---|
Name | DSA-739 | First vendor Publication | 2005-07-06 |
Vendor | Debian | Last vendor Modification | 2005-07-06 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:N) | |||
---|---|---|---|
Cvss Base Score | 6.4 | Attack Range | Network |
Cvss Impact Score | 4.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Stefan Esser discovered an input validation flaw within Trac, a wiki and issue tracking system, that allows download/upload of files and therefore can lead to remote code execution in some configurations. The old stable distribution (woody) does not contain the trac package. For the stable distribution (sarge) this problem has been fixed in version 0.8.1-3sarge2. For the unstable distribution (sid) this problem has been fixed in version 0.8.4-1. We recommend that you upgrade your trac package. |
Original Source
Url : http://www.debian.org/security/2005/dsa-739 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 3 |
OpenVAS Exploits
Date | Description |
---|---|
2008-09-04 | Name : FreeBSD Ports: trac File : nvt/freebsd_trac.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 739-1 (trac) File : nvt/deb_739_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
17398 | Trac id Variable Arbitrary File Upload / Access Trac contains a flaw that may allow a malicious user to upload and access arbitrary file. The issue is due to insufficient validation of 'id' variable. An attacker can supply arbitrary paths to attachement upload and viewer scripts, resulting in a loss of integrity. |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2005-07-13 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_b02c1d80e1bb11d9b8750001020eed82.nasl - Type : ACT_GATHER_INFO |
2005-07-06 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-739.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:34:05 |
|