CVE-2024-39899

{"id": "CVE-2024-39899", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2024-07-09T19:15:13.160", "references": [{"url": "https://github.com/PrivateBin/PrivateBin/commit/0c4e810e6728f67d678458838d8430dfba4fcca4", "source": "security-advisories@github.com"}, {"url": "https://github.com/PrivateBin/PrivateBin/pull/1370", "source": "security-advisories@github.com"}, {"url": "https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-mqqj-fx8h-437j", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-305"}, {"lang": "en", "value": "CWE-791"}]}], "descriptions": [{"lang": "en", "value": "PrivateBin is an online pastebin where the server has zero knowledge of pasted data. In v1.5, PrivateBin introduced the YOURLS server-side proxy. The idea was to allow using the YOURLs URL shortener without running the YOURLs instance without authentication and/or exposing the authentication token to the public, allowing anyone to shorten any URL. With the proxy mechanism, anyone can shorten any URL pointing to the configured PrivateBin instance. The vulnerability allowed other URLs to be shortened, as long as they contain the PrivateBin instance, defeating the limit imposed by the proxy. This vulnerability is fixed in 1.7.4."}, {"lang": "es", "value": "PrivateBin es un pastbin en l\u00ednea donde el servidor no tiene conocimiento de los datos pegados. En v1.5, PrivateBin introdujo el proxy del lado del servidor YOURLS. La idea era permitir el uso del acortador de URL de YOURLs sin ejecutar la instancia de YOURLs sin autenticaci\u00f3n y/o exponer el token de autenticaci\u00f3n al p\u00fablico, permitiendo a cualquiera acortar cualquier URL. Con el mecanismo de proxy, cualquiera puede acortar cualquier URL que apunte a la instancia de PrivateBin configurada. La vulnerabilidad permiti\u00f3 acortar otras URL, siempre que contengan la instancia PrivateBin, anulando el l\u00edmite impuesto por el proxy. Esta vulnerabilidad se solucion\u00f3 en 1.7.4."}], "lastModified": "2024-07-11T13:06:13.187", "sourceIdentifier": "security-advisories@github.com"}