CVE-2019-7305 - OpenCVE

Information Exposure vulnerability in eXtplorer makes the /usr/ and /etc/extplorer/ system directories world-accessible over HTTP. Introduced in the Makefile patch file debian/patches/debian-changes-2.1.0b6+dfsg-1 or debian/patches/adds-a-makefile.patch, this can lead to data leakage, information disclosure and potentially remote code execution on the web server. This issue affects all versions of eXtplorer in Ubuntu and Debian

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Canonical	Ubuntu Linux
Debian	Debian Linux
Extplorer	Extplorer

Configuration 1 [-]

AND

cpe:2.3:a:extplorer:extplorer:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:canonical:ubuntu_linux:-:::::::*
	cpe:2.3:o:debian:debian_linux:-:::::::*

No data.

References

Link	Providers
https://launchpad.net/bugs/1822013

History

No history.

MITRE

Status: PUBLISHED

Assigner: canonical

Published: 2020-04-09T23:50:11.945008Z

Updated: 2024-09-17T03:12:40.148Z

Reserved: 2019-02-01T00:00:00

Link: CVE-2019-7305

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-04-10T00:15:11.347

Modified: 2021-09-13T14:24:18.987

Link: CVE-2019-7305

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "eXtplorer", "vendor": "Canonical", "versions": [{"lessThanOrEqual": "2.1.0b6+dfsg.3-4+deb7u5ubuntu0.16.04.1", "status": "affected", "version": "2.1.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Sander Bos"}], "datePublic": "2019-03-27T00:00:00", "descriptions": [{"lang": "en", "value": "Information Exposure vulnerability in eXtplorer makes the /usr/ and /etc/extplorer/ system directories world-accessible over HTTP. Introduced in the Makefile patch file debian/patches/debian-changes-2.1.0b6+dfsg-1 or debian/patches/adds-a-makefile.patch, this can lead to data leakage, information disclosure and potentially remote code execution on the web server. This issue affects all versions of eXtplorer in Ubuntu and Debian"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Information Exposure", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-04-09T23:50:11", "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://launchpad.net/bugs/1822013"}], "source": {"defect": ["https://launchpad.net/bugs/1822013"], "discovery": "EXTERNAL"}, "title": "eXtplorer exposes /usr and /etc/extplorer over HTTP", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@ubuntu.com", "DATE_PUBLIC": "2019-03-27T13:15:00.000Z", "ID": "CVE-2019-7305", "STATE": "PUBLIC", "TITLE": "eXtplorer exposes /usr and /etc/extplorer over HTTP"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "eXtplorer", "version": {"version_data": [{"version_affected": "<=", "version_name": "2.1.0", "version_value": "2.1.0b6+dfsg.3-4+deb7u5ubuntu0.16.04.1"}, {"version_affected": "<=", "version_name": "2.1.0", "version_value": "2.1.0b6+dfsg.3-4+deb7u5build0.14.04.1 +1"}]}}]}, "vendor_name": "Canonical"}]}}, "credit": [{"lang": "eng", "value": "Sander Bos"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Information Exposure vulnerability in eXtplorer makes the /usr/ and /etc/extplorer/ system directories world-accessible over HTTP. Introduced in the Makefile patch file debian/patches/debian-changes-2.1.0b6+dfsg-1 or debian/patches/adds-a-makefile.patch, this can lead to data leakage, information disclosure and potentially remote code execution on the web server. This issue affects all versions of eXtplorer in Ubuntu and Debian"}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200 Information Exposure"}]}]}, "references": {"reference_data": [{"name": "https://launchpad.net/bugs/1822013", "refsource": "MISC", "url": "https://launchpad.net/bugs/1822013"}]}, "source": {"defect": ["https://launchpad.net/bugs/1822013"], "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T20:46:45.936Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://launchpad.net/bugs/1822013"}]}]}, "cveMetadata": {"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "assignerShortName": "canonical", "cveId": "CVE-2019-7305", "datePublished": "2020-04-09T23:50:11.945008Z", "dateReserved": "2019-02-01T00:00:00", "dateUpdated": "2024-09-17T03:12:40.148Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:extplorer:extplorer:*:*:*:*:*:*:*:*", "matchCriteriaId": "2977CC14-2091-43C3-873B-C7D1ED2BBE07", "versionEndIncluding": "2.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:-:*:*:*:*:*:*:*", "matchCriteriaId": "019A2188-0877-45DE-8512-F0BF70DD179C", "vulnerable": false}, {"criteria": "cpe:2.3:o:debian:debian_linux:-:*:*:*:*:*:*:*", "matchCriteriaId": "5920923E-0D52-44E5-801D-10B82846ED58", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Information Exposure vulnerability in eXtplorer makes the /usr/ and /etc/extplorer/ system directories world-accessible over HTTP. Introduced in the Makefile patch file debian/patches/debian-changes-2.1.0b6+dfsg-1 or debian/patches/adds-a-makefile.patch, this can lead to data leakage, information disclosure and potentially remote code execution on the web server. This issue affects all versions of eXtplorer in Ubuntu and Debian"}, {"lang": "es", "value": "La vulnerabilidad de exposici\u00f3n a la informaci\u00f3n en eXtplorer hace que los directorios del sistema /usr/ y /etc/extplorer/ sean de tipo world-accessible a trav\u00e9s de HTTP. Introducido en el archivo de parche Makefile debian/patches/debian-changes-2.1.0b6+dfsg-1 o debian/patches/adds-a-makefile.patch, esto puede conllevar a un filtrado de datos, una divulgaci\u00f3n de informaci\u00f3n y potencialmente una ejecuci\u00f3n de c\u00f3digo remota en el Servidor web. Este problema afecta a todas las versiones de eXtplorer en Ubuntu y Debian."}], "id": "CVE-2019-7305", "lastModified": "2021-09-13T14:24:18.987", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@ubuntu.com", "type": "Secondary"}]}, "published": "2020-04-10T00:15:11.347", "references": [{"source": "security@ubuntu.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://launchpad.net/bugs/1822013"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-552"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "security@ubuntu.com", "type": "Secondary"}]}