CVE-2002-0196

Current Description

GetRelativePath in ACD Incorporated CwpAPI 1.1 only verifies if the server root is somewhere within the path, which could allow remote attackers to read or write files outside of the web root, in other directories whose path includes the web root.

Basic Data

PublishedMay 16, 2002
Last ModifiedSeptember 11, 2008
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeNVD-CWE-Other
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:L/Au:N/C:P/I:P/A:N
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityLOW
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactNONE
CVSS 2 - Base Score6.4
SeverityMEDIUM
Exploitability Score10.0
Impact Score4.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationAcd IncorporatedCwpapi1.1*******

Vulnerable Software List

VendorProductVersions
Acd Incorporated Cwpapi 1.1

References

NameSourceURLTags
20020122 (Repost) CwpApi : GetRelativePath() returns invalid paths (security advisory)http://online.securityfocus.com/archive/1/251699BUGTRAQ
http://sourceforge.net/forum/forum.php?forum_id=144966http://sourceforge.net/forum/forum.php?forum_id=144966CONFIRMPatch
cwpapi-getrelativepath-view-files(7981)http://www.iss.net/security_center/static/7981.phpXFPatch Vendor Advisory
3924http://www.securityfocus.com/bid/3924BID