CVE-2019-25087 : A vulnerability was found in RamseyK httpserver. It has been rated as critical.

A vulnerability was found in RamseyK httpserver. It has been rated as critical. This issue affects the function ResourceHost::getResource of the file src/ResourceHost.cpp of the component URI Handler. The manipulation of the argument uri leads to path traversal: '../filedir'. The attack may be initiated remotely. The name of the patch is 1a0de56e4dafff9c2f9c8f6b130a764f7a50df52. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-216863.

Published 2022-12-27 09:15:10

Updated 2024-05-17 01:36:41

Source VulDB

View at NVD, CVE.org

Vulnerability category: Directory traversal

Products affected by CVE-2019-25087

Httpserver Project » Httpserver
Versions before (<) 2019-09-08
cpe:2.3:a:httpserver_project:httpserver:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2019-25087

EPSS FAQ

0.10%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 25 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-25087

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.3	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	3.9	1.4	VulDB
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	3.9	1.4	VulDB	2024-02-29
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2019-25087

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Assigned by: nvd@nist.gov (Primary)
CWE-24 Path Traversal: '../filedir'

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory.

Assigned by: cna@vuldb.com (Secondary)

References for CVE-2019-25087

https://vuldb.com/?id.216863

CVE-2019-25087 | RamseyK httpserver URI ResourceHost.cpp getResource path traversal
Third Party Advisory
https://github.com/RamseyK/httpserver/commit/1a0de56e4dafff9c2f9c8f6b130a764f7a50df52

Deny any directory traversal paths. README update · RamseyK/httpserver@1a0de56 · GitHub
Patch;Third Party Advisory
https://vuldb.com/?ctiid.216863

CVE-2019-25087 | RamseyK httpserver URI ResourceHost.cpp getResource path traversal
Third Party Advisory

Jump to

Vulnerability Details : CVE-2019-25087

Products affected by CVE-2019-25087

Exploit prediction scoring system (EPSS) score for CVE-2019-25087

CVSS scores for CVE-2019-25087

CWE ids for CVE-2019-25087

References for CVE-2019-25087