Joined: 12 May 2004
|Posted: Tue May 30, 2006 3:26 pm Post subject: [ GLSA 200605-16 ] CherryPy: Directory traversal vulnerabili
|Gentoo Linux Security Advisory
Title: CherryPy: Directory traversal vulnerability (GLSA 200605-16)
Date: May 30, 2006
CherryPy is vulnerable to a directory traversal that could allow attackers to read arbitrary files.
CherryPy is a Python-based, object-oriented web development framework.
Vulnerable: < 2.1.1
Unaffected: >= 2.1.1
Architectures: All supported architectures
Ivo van der Wijk discovered that the "staticfilter" component of CherryPy fails to sanitize input correctly.
An attacker could exploit this flaw to obtain arbitrary files from the web server.
There is no known workaround at this time.
All CherryPy users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/cherrypy-2.1.1"