CVE-2019-16409 - OpenCVE

In the Versioned Files module through 2.0.3 for SilverStripe 3.x, unpublished versions of files are publicly exposed to anyone who can guess their URL. This guess could be highly informed by a basic understanding of the symbiote/silverstripe-versionedfiles source code. (Users who upgrade from SilverStripe 3.x to 4.x and had Versioned Files installed have no further need for this module, because the 4.x release has built-in versioning. However, nothing in the upgrade process automates the destruction of these insecure artefacts, nor alerts the user to the criticality of destruction.)

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Silverstripe	Silverstripe
Symbiote	Versionedfiles

Configuration 1 [-]

OR	cpe:2.3:a:silverstripe:silverstripe::::::::
	cpe:2.3:a:symbiote:versionedfiles::::::silverstripe::*

No data.

References

Link	Providers
https://github.com/silverstripe/silverstripe-framework
https://github.com/symbiote/silverstripe-versionedfiles
https://www.silverstripe.org/download/security-releases/cve-2019-16409

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-09-26T14:36:27

Updated: 2024-08-05T01:17:39.578Z

Reserved: 2019-09-18T00:00:00

Link: CVE-2019-16409

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-09-26T16:15:11.267

Modified: 2021-07-21T11:39:23.747

Link: CVE-2019-16409

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "In the Versioned Files module through 2.0.3 for SilverStripe 3.x, unpublished versions of files are publicly exposed to anyone who can guess their URL. This guess could be highly informed by a basic understanding of the symbiote/silverstripe-versionedfiles source code. (Users who upgrade from SilverStripe 3.x to 4.x and had Versioned Files installed have no further need for this module, because the 4.x release has built-in versioning. However, nothing in the upgrade process automates the destruction of these insecure artefacts, nor alerts the user to the criticality of destruction.)"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-09-26T14:36:39", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/symbiote/silverstripe-versionedfiles"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/silverstripe/silverstripe-framework"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.silverstripe.org/download/security-releases/cve-2019-16409"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-16409", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In the Versioned Files module through 2.0.3 for SilverStripe 3.x, unpublished versions of files are publicly exposed to anyone who can guess their URL. This guess could be highly informed by a basic understanding of the symbiote/silverstripe-versionedfiles source code. (Users who upgrade from SilverStripe 3.x to 4.x and had Versioned Files installed have no further need for this module, because the 4.x release has built-in versioning. However, nothing in the upgrade process automates the destruction of these insecure artefacts, nor alerts the user to the criticality of destruction.)"}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/symbiote/silverstripe-versionedfiles", "refsource": "MISC", "url": "https://github.com/symbiote/silverstripe-versionedfiles"}, {"name": "https://github.com/silverstripe/silverstripe-framework", "refsource": "MISC", "url": "https://github.com/silverstripe/silverstripe-framework"}, {"name": "https://www.silverstripe.org/download/security-releases/cve-2019-16409", "refsource": "CONFIRM", "url": "https://www.silverstripe.org/download/security-releases/cve-2019-16409"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T01:17:39.578Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/symbiote/silverstripe-versionedfiles"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/silverstripe/silverstripe-framework"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.silverstripe.org/download/security-releases/cve-2019-16409"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-16409", "datePublished": "2019-09-26T14:36:27", "dateReserved": "2019-09-18T00:00:00", "dateUpdated": "2024-08-05T01:17:39.578Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:silverstripe:silverstripe:*:*:*:*:*:*:*:*", "matchCriteriaId": "4E58CB97-D94C-41B1-BD35-101853DF1D5E", "versionEndIncluding": "3.7.4", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:symbiote:versionedfiles:*:*:*:*:*:silverstripe:*:*", "matchCriteriaId": "2243C113-7430-45F8-B641-A4A937594787", "versionEndIncluding": "2.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Versioned Files module through 2.0.3 for SilverStripe 3.x, unpublished versions of files are publicly exposed to anyone who can guess their URL. This guess could be highly informed by a basic understanding of the symbiote/silverstripe-versionedfiles source code. (Users who upgrade from SilverStripe 3.x to 4.x and had Versioned Files installed have no further need for this module, because the 4.x release has built-in versioning. However, nothing in the upgrade process automates the destruction of these insecure artefacts, nor alerts the user to the criticality of destruction.)"}, {"lang": "es", "value": "En el m\u00f3dulo Versioned Files versiones hasta 2.0.3 para SilverStripe versiones 3.x, las versiones no publicadas de archivos se exponen p\u00fablicamente a cualquiera que pueda adivinar su URL. Esta suposici\u00f3n podr\u00eda estar altamente informada para una comprensi\u00f3n b\u00e1sica del c\u00f3digo fuente de symbiote/silverstripe-versionedfiles. (Los usuarios que actualizan SilverStripe versiones 3.x hasta 4.x y ten\u00edan instalado Versioned Files ya no necesitan este m\u00f3dulo, porque la versi\u00f3n 4.x posee versiones integradas. Sin embargo, nada en el proceso de actualizaci\u00f3n automatiza la destrucci\u00f3n de estos artefactos no seguros, ni alerta al usuario sobre la importancia de su destrucci\u00f3n)."}], "id": "CVE-2019-16409", "lastModified": "2021-07-21T11:39:23.747", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-09-26T16:15:11.267", "references": [{"source": "cve@mitre.org", "tags": ["Product", "Third Party Advisory"], "url": "https://github.com/silverstripe/silverstripe-framework"}, {"source": "cve@mitre.org", "tags": ["Product", "Third Party Advisory"], "url": "https://github.com/symbiote/silverstripe-versionedfiles"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.silverstripe.org/download/security-releases/cve-2019-16409"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}