PT-2020-15931 · Freedombox+1 · Plinth+2
James Valleroy
·
Published
2020-09-02
·
Updated
2020-09-11
·
CVE-2020-25073
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
FreedomBox versions prior to 20.14
Plinth versions prior to 20.14
Description
The issue allows remote attackers to obtain sensitive information from the "/server-status" page of the Apache HTTP Server. This is because a connection from the Tor onion service, or from PageKite, is considered a local connection. The Apache mod status module must be enabled for this issue to occur.
Recommendations
For FreedomBox versions prior to 20.14, update to version 20.14 or later to resolve the issue.
For Plinth versions prior to 20.14, update to version 20.14 or later to resolve the issue.
As a temporary workaround, consider disabling the Apache mod status module until a patch is available.
Restrict access to the "/server-status" page to minimize the risk of exploitation.
Exploit
Fix
Exposure of Resource to Wrong Sphere
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Http Server
Freedombox
Plinth