CVE-2017-16248

{"id": "CVE-2017-16248", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2017-11-01T01:29:01.010", "references": [{"url": "https://bugs.debian.org/880458", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://metacpan.org/changes/distribution/Catalyst-Plugin-Static-Simple", "tags": ["Release Notes"], "source": "cve@mitre.org"}, {"url": "https://rt.cpan.org/Public/Bug/Display.html?id=120558", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "The Catalyst-Plugin-Static-Simple module before 0.34 for Perl allows remote attackers to read arbitrary files if there is a '.' character anywhere in the pathname, which differs from the intended policy of allowing access only when the filename itself has a '.' character."}, {"lang": "es", "value": "El m\u00f3dulo Catalyst-Plugin-Static-Simple en versiones anteriores a la 0.34 para Perl permite que atacantes remotos lean archivos arbitrarios si hay un caracter \".\" en cualquier parte del nombre de ruta, lo que difiere de la pol\u00edtica prevista que solo permite el acceso cuando el nombre de archivo en s\u00ed contiene un caracter \".\"."}], "lastModified": "2017-11-22T20:20:30.097", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:catalyst-plugin-static-simple_project:catalyst-plugin-static-simple:*:*:*:*:*:perl:*:*", "vulnerable": true, "matchCriteriaId": "8DA2AA35-00DF-4102-857E-93CB9EF9B91F", "versionEndExcluding": "0.34"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}