PT-2018-4910 · Web2Py+1 · Web2Py+1

Shaolin

·

Publicado

2018-02-06

·

Atualizado

2022-05-14

·

CVE-2016-3954

CVSS v3.1

5.5

Média

VetorAV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions web2py versions prior to 2.14.2
Description The issue allows remote attackers to obtain the session cookie key value via a direct request to "examples/simple examples/status". This can be leveraged to execute arbitrary code.
Recommendations For versions prior to 2.14.2, update to version 2.14.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the "examples/simple examples/status" endpoint until a patch is available.

Exploit

Correção

Information Disclosure

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-200

Identificadores relacionados

CVE-2016-3954
GHSA-JR83-VR4J-MP6P
USN-4030-1

Produtos afetados

Ubuntu
Web2Py