CVE-2008-0252 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 UNKNOWN	NETWORK	LOW		AV:N/AC:L/Au:N/C:P/I:P/A:P
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 85%

Vendor	Product	Version
cherrypy	cherrypy	𝑥 ≤ 2.1.0
cherrypy	cherrypy	𝑥 ≤ 3.0.2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

cherrypy3

bullseye	8.9.1-8 fixed
bookworm	18.8.0-2 fixed
sid	18.10.0-1 fixed
trixie	18.10.0-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

cherrypy3

intrepid	not-affected
hardy	not-affected
gutsy	Fixed 3.0.2-1ubuntu0.1 released
feisty	dne
edgy	dne
dapper	dne

python-cherrypy

intrepid	not-affected
hardy	not-affected
gutsy	Fixed 2.2.1-3ubuntu1.7.10 released
feisty	Fixed 2.2.1-3ubuntu1.7.04 released
edgy	ignored
dapper	not-affected

Known Exploits!

Common Weakness Enumeration

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References

http://secunia.com/advisories/28353

http://secunia.com/advisories/28354

http://secunia.com/advisories/28611

http://secunia.com/advisories/28620

http://secunia.com/advisories/28769

http://security.gentoo.org/glsa/glsa-200801-11.xml

http://www.cherrypy.org/changeset/1774

http://www.cherrypy.org/changeset/1775

http://www.cherrypy.org/changeset/1776

http://www.cherrypy.org/ticket/744

http://www.debian.org/security/2008/dsa-1481

http://www.securityfocus.com/archive/1/487001/100/0/threaded

http://www.securityfocus.com/bid/27181

http://www.vupen.com/english/advisories/2008/0039

https://bugs.gentoo.org/show_bug.cgi?id=204829

https://issues.rpath.com/browse/RPL-2127

https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00240.html

https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00297.html

http://secunia.com/advisories/28353

http://secunia.com/advisories/28354

http://secunia.com/advisories/28611

http://secunia.com/advisories/28620

http://secunia.com/advisories/28769

http://security.gentoo.org/glsa/glsa-200801-11.xml

http://www.cherrypy.org/changeset/1774

http://www.cherrypy.org/changeset/1775

http://www.cherrypy.org/changeset/1776

http://www.cherrypy.org/ticket/744

http://www.debian.org/security/2008/dsa-1481

http://www.securityfocus.com/archive/1/487001/100/0/threaded

http://www.securityfocus.com/bid/27181

http://www.vupen.com/english/advisories/2008/0039

https://bugs.gentoo.org/show_bug.cgi?id=204829

https://issues.rpath.com/browse/RPL-2127

https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00240.html

https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00297.html