GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Tue May 30, 2006 3:26 pm Post subject: [ GLSA 200605-16 ] CherryPy: Directory traversal vulnerabili |
|
|
Gentoo Linux Security Advisory
Title: CherryPy: Directory traversal vulnerability (GLSA 200605-16)
Severity: low
Exploitable: remote
Date: May 30, 2006
Bug(s): #134273
ID: 200605-16
Synopsis
CherryPy is vulnerable to a directory traversal that could allow attackers to read arbitrary files.
Background
CherryPy is a Python-based, object-oriented web development framework.
Affected Packages
Package: dev-python/cherrypy
Vulnerable: < 2.1.1
Unaffected: >= 2.1.1
Architectures: All supported architectures
Description
Ivo van der Wijk discovered that the "staticfilter" component of CherryPy fails to sanitize input correctly.
Impact
An attacker could exploit this flaw to obtain arbitrary files from the web server.
Workaround
There is no known workaround at this time.
Resolution
All CherryPy users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/cherrypy-2.1.1" |
References
CVE-2006-0847 |
|