CVE-2019-25087 - OpenCVE

A vulnerability was found in RamseyK httpserver. It has been rated as critical. This issue affects the function ResourceHost::getResource of the file src/ResourceHost.cpp of the component URI Handler. The manipulation of the argument uri leads to path traversal: '../filedir'. The attack may be initiated remotely. The name of the patch is 1a0de56e4dafff9c2f9c8f6b130a764f7a50df52. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-216863.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Httpserver Project	Httpserver

Configuration 1 [-]

cpe:2.3:a:httpserver_project:httpserver:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/RamseyK/httpserver/commit/1a0de56e4dafff9c2f9c8f6b130a764f7a50df52
https://vuldb.com/?ctiid.216863
https://vuldb.com/?id.216863

History

No history.

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2022-12-27T08:42:42.309Z

Updated: 2024-08-05T03:00:19.215Z

Reserved: 2022-12-27T08:41:11.243Z

Link: CVE-2019-25087

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-12-27T09:15:09.730

Modified: 2024-05-17T01:36:41.017

Link: CVE-2019-25087

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2019-25087", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2022-12-27T08:41:11.243Z", "datePublished": "2022-12-27T08:42:42.309Z", "dateUpdated": "2024-08-05T03:00:19.215Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2022-12-27T08:42:42.309Z"}, "title": "RamseyK httpserver URI ResourceHost.cpp getResource path traversal", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-24", "lang": "en", "description": "CWE-24 Path Traversal: '../filedir'"}]}], "affected": [{"vendor": "RamseyK", "product": "httpserver", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["URI Handler"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in RamseyK httpserver. It has been rated as critical. This issue affects the function ResourceHost::getResource of the file src/ResourceHost.cpp of the component URI Handler. The manipulation of the argument uri leads to path traversal: '../filedir'. The attack may be initiated remotely. The name of the patch is 1a0de56e4dafff9c2f9c8f6b130a764f7a50df52. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-216863."}, {"lang": "de", "value": "Eine Schwachstelle wurde in RamseyK httpserver ausgemacht. Sie wurde als kritisch eingestuft. Betroffen davon ist die Funktion ResourceHost::getResource der Datei src/ResourceHost.cpp der Komponente URI Handler. Durch das Beeinflussen des Arguments uri mit unbekannten Daten kann eine path traversal: '../filedir'-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Patch wird als 1a0de56e4dafff9c2f9c8f6b130a764f7a50df52 bezeichnet. Als bestm\u00f6gliche Massnahme wird Patching empfohlen."}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseSeverity": "MEDIUM"}}], "timeline": [{"time": "2022-12-27T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2022-12-27T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2022-12-27T09:47:39.000Z", "lang": "en", "value": "VulDB last update"}], "references": [{"url": "https://vuldb.com/?id.216863", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.216863", "tags": ["signature", "permissions-required"]}, {"url": "https://github.com/RamseyK/httpserver/commit/1a0de56e4dafff9c2f9c8f6b130a764f7a50df52", "tags": ["patch"]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:00:19.215Z"}, "title": "CVE Program Container", "references": [{"url": "https://vuldb.com/?id.216863", "tags": ["vdb-entry", "technical-description", "x_transferred"]}, {"url": "https://vuldb.com/?ctiid.216863", "tags": ["signature", "permissions-required", "x_transferred"]}, {"url": "https://github.com/RamseyK/httpserver/commit/1a0de56e4dafff9c2f9c8f6b130a764f7a50df52", "tags": ["patch", "x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:httpserver_project:httpserver:*:*:*:*:*:*:*:*", "matchCriteriaId": "0285D36A-BEF1-4CCD-A1DB-D330CAB1EC09", "versionEndExcluding": "2019-09-08", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in RamseyK httpserver. It has been rated as critical. This issue affects the function ResourceHost::getResource of the file src/ResourceHost.cpp of the component URI Handler. The manipulation of the argument uri leads to path traversal: '../filedir'. The attack may be initiated remotely. The name of the patch is 1a0de56e4dafff9c2f9c8f6b130a764f7a50df52. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-216863."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en RamseyK httpserver. Ha sido calificado como cr\u00edtico. Este problema afecta la funci\u00f3n ResourceHost::getResource del archivo src/ResourceHost.cpp del componente URI Handler. La manipulaci\u00f3n del argumento uri conduce a path traversal: '../filedir'. El ataque puede iniciarse de forma remota. El nombre del parche es 1a0de56e4dafff9c2f9c8f6b130a764f7a50df52. Se recomienda aplicar un parche para solucionar este problema. El identificador asociado de esta vulnerabilidad es VDB-216863."}], "id": "CVE-2019-25087", "lastModified": "2024-05-17T01:36:41.017", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2022-12-27T09:15:09.730", "references": [{"source": "cna@vuldb.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/RamseyK/httpserver/commit/1a0de56e4dafff9c2f9c8f6b130a764f7a50df52"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory"], "url": "https://vuldb.com/?ctiid.216863"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory"], "url": "https://vuldb.com/?id.216863"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-24"}], "source": "cna@vuldb.com", "type": "Secondary"}]}