CVE-2023-0046 : Improper Restriction of Names for Files and Other Resources in GitHub repository

Improper Restriction of Names for Files and Other Resources in GitHub repository lirantal/daloradius prior to master-branch.

Published 2023-01-04 12:15:09

Updated 2023-01-10 18:39:14

Source huntr.dev

View at NVD, CVE.org

Products affected by CVE-2023-0046

Daloradius » Daloradius
Versions before (<) 2023-01-04
cpe:2.3:a:daloradius:daloradius:*:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

0.07%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 19 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.2	HIGH	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	1.2	5.9	huntr.dev
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.2	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	1.2	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE-641 Improper Restriction of Names for Files and Other Resources

The product constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name.

Assigned by: security@huntr.dev (Primary)

https://github.com/lirantal/daloradius/commit/2013c2d1231e99dac918247b69b198ded1f30a1c

Better validating log filepath (#326) · lirantal/daloradius@2013c2d · GitHub
Patch;Third Party Advisory
https://huntr.dev/bounties/2214dc41-f283-4342-95b1-34a2f4fea943

Unrestricted Logging Filename Lead to RCE vulnerability found in daloradius
Exploit;Issue Tracking;Patch;Third Party Advisory

Jump to