Published: 03/02/2016 Updated: 06/12/2016

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

CVSS v3 Base Score: 10 | Impact Score: 5.8 | Exploitability Score: 3.9

VMScore: 668

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

The multifilesystem storage backend in Radicale prior to 1.1 allows remote malicious users to read or write to arbitrary files via a crafted component name.

Vulnerable Product	Search on Vulmon	Subscribe to Product
radicale radicale

Debian Bug report logs - #809920 radicale: Upstream version 11 fixes several security issues (CVE-2015-8747 CVE-2015-8748) Package: radicale; Maintainer for radicale is Jonas Smedegaard <dr@jonesdk>; Source for radicale is src:radicale (PTS, buildd, popcon) Reported by: Felix Knecht <debian@felixknechtde> Date: Mo ...

Two vulnerabilities were fixed in radicale, a CardDAV/CalDAV server CVE-2015-8747 The (not configured by default and not available on Wheezy) multifilesystem storage backend allows read and write access to arbitrary files (still subject to the DAC permissions of the user the radicale server is running as) CVE-2015-8748 If an ...

CWE-20 https://github.com/Unrud/Radicale/commit/bcaf452e516c02c9bed584a73736431c5e8831f1 http://www.debian.org/security/2016/dsa-3462 http://www.openwall.com/lists/oss-security/2016/01/05/7 http://www.openwall.com/lists/oss-security/2016/01/06/4 https://github.com/Kozea/Radicale/pull/343 http://www.openwall.com/lists/oss-security/2016/01/06/7 http://www.securityfocus.com/bid/80255 http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175776.html http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175738.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809920 https://nvd.nist.gov https://www.debian.org/security/./dsa-3462

CVE-2015-8747

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect