oss-sec mailing list archives
Re: CVE request: Cantata vulnerability
From: cve-assign () mitre org
Date: Mon, 20 Jan 2014 11:05:44 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
https://code.google.com/p/cantata/issues/detail?id=356
Use CVE-2013-7300 for the lack of restrictions on the set of files available through the web server, i.e., an absolute path traversal vulnerability. Use CVE-2013-7301 for the default configuration in which the external network interface is used with no access control for reading queued music files. These could have been fixed independently. For example, fixing only CVE-2013-7300 means that a remote attacker could read "private" song data (but that might be irrelevant in some situations on a network within a home). Fixing only CVE-2013-7301 means that local users could read arbitrary files (but that might be irrelevant on a single-user system). The other issues mentioned in id=356 are probably best considered suggestions for security improvement (e.g., availability of an HTTP service in fewer circumstances, defaulting to the lo interface, better access control, additional build options, etc.). - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJS3UglAAoJEKllVAevmvmslR4IALRpqiR6R6K8mUuqeEDhnzKV TY4cY6E5sRbpM4jCLKKSlTX6eLFuOEP0yXJfnyAr5opGTslmecfCTVuvTxa9u7E5 KHviH9Qlinzt31BnxNvXJPntIRHr87YVPYPvHNeBMVcVyl3Z9tRMBngGn7pXfPh3 3ILDISHeKtbGrSO/7PycIxqEJuNgaU0sckcp2NGYkMDNF6fjLdKak+nGHSA8tvML ssvGayQ2EUcfSEWUdltDR8omDcTKEAR8w86Bpu1usf0mOczh15bn9rJNb/BjLQIH Wx2EyVeuDVrOftmdK4IzqchfrEsvKmJOKA8ZiyG1XY9n7n7T8iKjjeCvHwOQM6o= =Arrv -----END PGP SIGNATURE-----
Current thread:
- CVE request: Cantata vulnerability Sergey Popov (Jan 20)
- Re: CVE request: Cantata vulnerability cve-assign (Jan 20)