CVE-2008-0252

Directory traversal vulnerability in the _get_file_path function in (1) lib/sessions.py in CherryPy 3.0.x up to 3.0.2, (2) filter/sessionfilter.py in CherryPy 2.1, and (3) filter/sessionfilter.py in CherryPy 2.x allows remote attackers to create or delete arbitrary files, and possibly read and write portions of arbitrary files, via a crafted session id in a cookie.
Path Traversal
Severity
UNKNOWN
AV:N/AC:L/Au:N/C:P/I:P/A:P
Atk. Vector
NETWORK
Atk. Complexity
LOW
Base Score
CVSS 3.x
EPSS Score
Percentile: 78%
VendorProductVersion
cherrypycherrypy
𝑥
≤ 2.1.0
cherrypycherrypy
𝑥
≤ 3.0.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
cherrypy3
bullseye
8.9.1-8
fixed
bookworm
18.8.0-2
fixed
sid
18.10.0-1
fixed
trixie
18.10.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
cherrypy3
intrepid
not-affected
hardy
not-affected
gutsy
Fixed 3.0.2-1ubuntu0.1
released
feisty
dne
edgy
dne
dapper
dne
python-cherrypy
intrepid
not-affected
hardy
not-affected
gutsy
Fixed 2.2.1-3ubuntu1.7.10
released
feisty
Fixed 2.2.1-3ubuntu1.7.04
released
edgy
ignored
dapper
not-affected