Vulnerability DatabaseCVE-2008-0252
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2008-0252
January 12, 2008
Directory traversal vulnerability in the _get_file_path function in (1) lib/sessions.py in CherryPy 3.0.x up to 3.0.2, (2) filter/sessionfilter.py in CherryPy 2.1, and (3) filter/sessionfilter.py in CherryPy 2.x allows remote attackers to create or delete arbitrary files, and possibly read and write portions of arbitrary files, via a crafted session id in a cookie.
Related ResourcesĀ (29)
http://secunia.com/advisories/28620
http://secunia.com/advisories/28611
https://github.com/cherrypy/cherrypy
http://secunia.com/advisories/28354
https://issues.rpath.com/browse/RPL-2127
https://web.archive.org/web/20110513223620/http://secunia.com/advisories/28769
http://security.gentoo.org/glsa/glsa-200801-11.xml
http://www.cherrypy.org/ticket/744
https://nvd.nist.gov/vuln/detail/CVE-2008-0252
http://www.securityfocus.com/bid/27181
http://secunia.com/advisories/28353
http://www.debian.org/security/2008/dsa-1481
http://www.cherrypy.org/changeset/1775
https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00240.html
https://web.archive.org/web/20080129011723/http://secunia.com/advisories/28354
https://web.archive.org/web/20080312130713/http://secunia.com/advisories/28353
https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00297.html
https://web.archive.org/web/20111224161644/http://secunia.com/advisories/28620
https://web.archive.org/web/20151108024505/http://www.securityfocus.com/bid/27181
https://github.com/cherrypy/cherrypy/commit/37b856eba6f207231c691dae2e5b24e072f86664
https://web.archive.org/web/20100122080212/http://www.vupen.com/english/advisories/2008/0039
https://github.com/pypa/advisory-database/tree/main/vulns/cherrypy/PYSEC-2008-3.yaml
http://www.vupen.com/english/advisories/2008/0039
http://www.cherrypy.org/changeset/1776
http://www.cherrypy.org/changeset/1774
https://web.archive.org/web/20080328003510/http://secunia.com/advisories/28611
http://secunia.com/advisories/28769
https://bugs.gentoo.org/show_bug.cgi?id=204829
http://www.securityfocus.com/archive/1/487001/100/0/threaded
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
LOW
CVSS v2
Base Score:
7.5
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
Weakness Type (CWE)
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-22
EPSS
Base Score:
2.84