Vulnerability Details : CVE-2019-14924
An issue was discovered in GCDWebServer before 3.5.3. The method moveItem in the GCDWebUploader class checks the FileExtension of newAbsolutePath but not oldAbsolutePath. By leveraging this vulnerability, an adversary can make an inaccessible file be available (the credential of the app, for instance).
Products affected by CVE-2019-14924
- cpe:2.3:a:gcdwebserver_project:gcdwebserver:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-14924
0.19%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 56 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-14924
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2019-14924
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-14924
-
https://github.com/swisspol/GCDWebServer/commit/02738433bf2e1b820ef48f04edd15df304081802
Enforce hidden and extensions restrictions when moving and copying fi… · swisspol/GCDWebServer@0273843 · GitHubPatch;Third Party Advisory
-
https://github.com/swisspol/GCDWebServer/compare/3.5.2...3.5.3
Comparing 3.5.2...3.5.3 · swisspol/GCDWebServer · GitHubPatch;Third Party Advisory
-
https://github.com/swisspol/GCDWebServer/issues/433
Security issue of GCDWebUploader · Issue #433 · swisspol/GCDWebServer · GitHubThird Party Advisory
Jump to