Vulnerability Details : CVE-2013-7300
Absolute path traversal vulnerability in cantata before 1.2.2 allows local users to read arbitrary files via a full pathname in a request to the internal httpd server. NOTE: this vulnerability can be leveraged by remote attackers using CVE-2013-7301.
Vulnerability category: Directory traversal
Exploit prediction scoring system (EPSS) score for CVE-2013-7300
Probability of exploitation activity in the next 30 days: 0.28%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 64 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2013-7300
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2013-7300
-
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-7300
-
http://seclists.org/oss-sec/2014/q1/124
oss-sec: Re: CVE request: Cantata vulnerability
-
http://seclists.org/oss-sec/2014/q1/121
oss-sec: CVE request: Cantata vulnerability
-
https://code.google.com/p/cantata/issues/detail?id=356
Internal http server should be removed: it is dangerously insecure · Issue #356 · CDrummond/cantata · GitHubExploit
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/90580
Cantata unspecified directory traversal CVE-2013-7300 Vulnerability Report
Products affected by CVE-2013-7300
- cpe:2.3:a:craig_drummond:cantata:*:*:*:*:*:*:*:*
- cpe:2.3:a:craig_drummond:cantata:0.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:craig_drummond:cantata:0.8.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:craig_drummond:cantata:0.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:craig_drummond:cantata:0.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:craig_drummond:cantata:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:craig_drummond:cantata:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:craig_drummond:cantata:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:craig_drummond:cantata:1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:craig_drummond:cantata:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:craig_drummond:cantata:1.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:craig_drummond:cantata:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:craig_drummond:cantata:0.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:craig_drummond:cantata:0.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:craig_drummond:cantata:0.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:craig_drummond:cantata:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:craig_drummond:cantata:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:craig_drummond:cantata:0.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:craig_drummond:cantata:0.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:craig_drummond:cantata:0.7.0:*:*:*:*:*:*:*