CVE-2016-1231

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2016-1231
Directory traversal vulnerability in the HTTP file-serving module (mod_http_files) in Prosody 0.9.x before 0.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) in an unspecified path.

5.9 /10

CVSS v3 : MEDIUM

V3 Legend

Vector : AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.3 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References
Link Resource
http://blog.prosody.im/prosody-0-9-9-security-release/ Patch Vendor Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html
http://www.debian.org/security/2016/dsa-3439
http://www.openwall.com/lists/oss-security/2016/01/08/5
https://prosody.im/issues/issue/520
https://prosody.im/security/advisory_20160108-1/ Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:prosody:prosody:0.9.0:*:*:*:*:*:*:*
cpe:2.3:a:prosody:prosody:0.9.1:*:*:*:*:*:*:*
cpe:2.3:a:prosody:prosody:0.9.2:*:*:*:*:*:*:*
cpe:2.3:a:prosody:prosody:0.9.3:*:*:*:*:*:*:*
cpe:2.3:a:prosody:prosody:0.9.4:*:*:*:*:*:*:*
cpe:2.3:a:prosody:prosody:0.9.5:*:*:*:*:*:*:*
cpe:2.3:a:prosody:prosody:0.9.6:*:*:*:*:*:*:*
cpe:2.3:a:prosody:prosody:0.9.7:*:*:*:*:*:*:*
cpe:2.3:a:prosody:prosody:0.9.8:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
History

No history.

Information

Published : 2016-01-12 20:59

Updated : 2024-02-04 18:53

NVD link : CVE-2016-1231

Mitre link : CVE-2016-1231

CVE.ORG link : CVE-2016-1231

JSON object : View

Products Affected

debian

  • debian_linux

prosody

  • prosody

fedoraproject

  • fedora
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')