CVE-2019-7305

Information Exposure vulnerability in eXtplorer makes the /usr/ and /etc/extplorer/ system directories world-accessible over HTTP. Introduced in the Makefile patch file debian/patches/debian-changes-2.1.0b6+dfsg-1 or debian/patches/adds-a-makefile.patch, this can lead to data leakage, information disclosure and potentially remote code execution on the web server. This issue affects all versions of eXtplorer in Ubuntu and Debian

CVSS v3 5.8 MEDIUM
CVSS v2.0 7.5 HIGH

5.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://launchpad.net/bugs/1822013	Issue Tracking Third Party Advisory
https://launchpad.net/bugs/1822013	Issue Tracking Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:extplorer:extplorer:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:canonical:ubuntu_linux:-:::::::*
	cpe:2.3:o:debian:debian_linux:-:::::::*

History

No history.

Information

Published : 2020-04-10 00:15

Updated : 2024-11-21 04:47

NVD link : CVE-2019-7305

Mitre link : CVE-2019-7305

CVE.ORG link : CVE-2019-7305

JSON object : View

Products Affected

debian

debian_linux

extplorer

extplorer

canonical

ubuntu_linux

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-552

Files or Directories Accessible to External Parties

{"id": "CVE-2019-7305", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "security@ubuntu.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2020-04-10T00:15:11.347", "references": [{"url": "https://launchpad.net/bugs/1822013", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "security@ubuntu.com"}, {"url": "https://launchpad.net/bugs/1822013", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security@ubuntu.com", "description": [{"lang": "en", "value": "CWE-200"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-552"}]}], "descriptions": [{"lang": "en", "value": "Information Exposure vulnerability in eXtplorer makes the /usr/ and /etc/extplorer/ system directories world-accessible over HTTP. Introduced in the Makefile patch file debian/patches/debian-changes-2.1.0b6+dfsg-1 or debian/patches/adds-a-makefile.patch, this can lead to data leakage, information disclosure and potentially remote code execution on the web server. This issue affects all versions of eXtplorer in Ubuntu and Debian"}, {"lang": "es", "value": "La vulnerabilidad de exposici\u00f3n a la informaci\u00f3n en eXtplorer hace que los directorios del sistema /usr/ y /etc/extplorer/ sean de tipo world-accessible a trav\u00e9s de HTTP. Introducido en el archivo de parche Makefile debian/patches/debian-changes-2.1.0b6+dfsg-1 o debian/patches/adds-a-makefile.patch, esto puede conllevar a un filtrado de datos, una divulgaci\u00f3n de informaci\u00f3n y potencialmente una ejecuci\u00f3n de c\u00f3digo remota en el Servidor web. Este problema afecta a todas las versiones de eXtplorer en Ubuntu y Debian."}], "lastModified": "2024-11-21T04:47:58.170", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:extplorer:extplorer:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2977CC14-2091-43C3-873B-C7D1ED2BBE07", "versionEndIncluding": "2.1.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "019A2188-0877-45DE-8512-F0BF70DD179C"}, {"criteria": "cpe:2.3:o:debian:debian_linux:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "5920923E-0D52-44E5-801D-10B82846ED58"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "security@ubuntu.com"}