CVE-2015-8747 - OpenCVE

The multifilesystem storage backend in Radicale before 1.1 allows remote attackers to read or write to arbitrary files via a crafted component name.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Radicale	Radicale

Configuration 1 [-]

cpe:2.3:a:radicale:radicale:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175738.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175776.html
http://www.debian.org/security/2016/dsa-3462
http://www.openwall.com/lists/oss-security/2016/01/05/7
http://www.openwall.com/lists/oss-security/2016/01/06/4
http://www.openwall.com/lists/oss-security/2016/01/06/7
http://www.securityfocus.com/bid/80255
https://github.com/Kozea/Radicale/pull/343
https://github.com/Unrud/Radicale/commit/bcaf452e516c02c9bed584a73736431c5e8831f1

History

No history.

MITRE

Status: PUBLISHED

Assigner: debian

Published: 2016-02-03T15:00:00

Updated: 2024-08-06T08:29:21.851Z

Reserved: 2016-01-06T00:00:00

Link: CVE-2015-8747

Vulnrichment

No data.

NVD

Status : Modified

Published: 2016-02-03T18:59:05.773

Modified: 2016-12-06T03:04:12.317

Link: CVE-2015-8747

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-01-05T00:00:00", "descriptions": [{"lang": "en", "value": "The multifilesystem storage backend in Radicale before 1.1 allows remote attackers to read or write to arbitrary files via a crafted component name."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-12-02T20:57:01", "orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "shortName": "debian"}, "references": [{"name": "[oss-security] 20160106 Re: CVE request for radicale", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2016/01/06/7"}, {"name": "80255", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/80255"}, {"name": "[oss-security] 20160105 CVE request for radicale", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2016/01/05/7"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Unrud/Radicale/commit/bcaf452e516c02c9bed584a73736431c5e8831f1"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Kozea/Radicale/pull/343"}, {"name": "DSA-3462", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2016/dsa-3462"}, {"name": "FEDORA-2016-cf9e2429b5", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175776.html"}, {"name": "[oss-security] 20160106 Re: CVE request for radicale", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2016/01/06/4"}, {"name": "FEDORA-2016-f048c43393", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175738.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@debian.org", "ID": "CVE-2015-8747", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The multifilesystem storage backend in Radicale before 1.1 allows remote attackers to read or write to arbitrary files via a crafted component name."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "[oss-security] 20160106 Re: CVE request for radicale", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/01/06/7"}, {"name": "80255", "refsource": "BID", "url": "http://www.securityfocus.com/bid/80255"}, {"name": "[oss-security] 20160105 CVE request for radicale", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/01/05/7"}, {"name": "https://github.com/Unrud/Radicale/commit/bcaf452e516c02c9bed584a73736431c5e8831f1", "refsource": "CONFIRM", "url": "https://github.com/Unrud/Radicale/commit/bcaf452e516c02c9bed584a73736431c5e8831f1"}, {"name": "https://github.com/Kozea/Radicale/pull/343", "refsource": "CONFIRM", "url": "https://github.com/Kozea/Radicale/pull/343"}, {"name": "DSA-3462", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2016/dsa-3462"}, {"name": "FEDORA-2016-cf9e2429b5", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175776.html"}, {"name": "[oss-security] 20160106 Re: CVE request for radicale", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/01/06/4"}, {"name": "FEDORA-2016-f048c43393", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175738.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T08:29:21.851Z"}, "title": "CVE Program Container", "references": [{"name": "[oss-security] 20160106 Re: CVE request for radicale", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2016/01/06/7"}, {"name": "80255", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/80255"}, {"name": "[oss-security] 20160105 CVE request for radicale", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2016/01/05/7"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/Unrud/Radicale/commit/bcaf452e516c02c9bed584a73736431c5e8831f1"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/Kozea/Radicale/pull/343"}, {"name": "DSA-3462", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2016/dsa-3462"}, {"name": "FEDORA-2016-cf9e2429b5", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175776.html"}, {"name": "[oss-security] 20160106 Re: CVE request for radicale", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2016/01/06/4"}, {"name": "FEDORA-2016-f048c43393", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175738.html"}]}]}, "cveMetadata": {"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "assignerShortName": "debian", "cveId": "CVE-2015-8747", "datePublished": "2016-02-03T15:00:00", "dateReserved": "2016-01-06T00:00:00", "dateUpdated": "2024-08-06T08:29:21.851Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:radicale:radicale:*:*:*:*:*:*:*:*", "matchCriteriaId": "7DEE81B3-0AB4-4246-9FE5-DD483A5157A2", "versionEndIncluding": "1.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The multifilesystem storage backend in Radicale before 1.1 allows remote attackers to read or write to arbitrary files via a crafted component name."}, {"lang": "es", "value": "El backend de almacenamiento del sistema multiarchivo en Radicale en versiones anteriores a 1.1 permite a atacantes remotos leer o escribir en archivos arbitrarios a trav\u00e9s de un nombre de componente manipulado."}], "id": "CVE-2015-8747", "lastModified": "2016-12-06T03:04:12.317", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.8, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-02-03T18:59:05.773", "references": [{"source": "security@debian.org", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175738.html"}, {"source": "security@debian.org", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175776.html"}, {"source": "security@debian.org", "url": "http://www.debian.org/security/2016/dsa-3462"}, {"source": "security@debian.org", "url": "http://www.openwall.com/lists/oss-security/2016/01/05/7"}, {"source": "security@debian.org", "url": "http://www.openwall.com/lists/oss-security/2016/01/06/4"}, {"source": "security@debian.org", "url": "http://www.openwall.com/lists/oss-security/2016/01/06/7"}, {"source": "security@debian.org", "url": "http://www.securityfocus.com/bid/80255"}, {"source": "security@debian.org", "tags": ["Patch"], "url": "https://github.com/Kozea/Radicale/pull/343"}, {"source": "security@debian.org", "url": "https://github.com/Unrud/Radicale/commit/bcaf452e516c02c9bed584a73736431c5e8831f1"}], "sourceIdentifier": "security@debian.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}