fkie_nvd - fkie_cve-2016-1231

FKIE_CVE-2016-1231

Vulnerability from fkie_nvd - Published: 2016-01-12 20:59 - Updated: 2025-04-12 10:46

Severity ?

5.9 (Medium) - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

Directory traversal vulnerability in the HTTP file-serving module (mod_http_files) in Prosody 0.9.x before 0.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) in an unspecified path.

References

URL	Tags
security@debian.org	http://blog.prosody.im/prosody-0-9-9-security-release/	Patch, Vendor Advisory
security@debian.org	http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html
security@debian.org	http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html
security@debian.org	http://www.debian.org/security/2016/dsa-3439
security@debian.org	http://www.openwall.com/lists/oss-security/2016/01/08/5
security@debian.org	https://prosody.im/issues/issue/520
security@debian.org	https://prosody.im/security/advisory_20160108-1/	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://blog.prosody.im/prosody-0-9-9-security-release/	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html
af854a3a-2127-422b-91ae-364da2661108	http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html
af854a3a-2127-422b-91ae-364da2661108	http://www.debian.org/security/2016/dsa-3439
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2016/01/08/5
af854a3a-2127-422b-91ae-364da2661108	https://prosody.im/issues/issue/520
af854a3a-2127-422b-91ae-364da2661108	https://prosody.im/security/advisory_20160108-1/	Vendor Advisory

Impacted products

Vendor	Product	Version
fedoraproject	fedora	22
fedoraproject	fedora	23
prosody	prosody	0.9.0
prosody	prosody	0.9.1
prosody	prosody	0.9.2
prosody	prosody	0.9.3
prosody	prosody	0.9.4
prosody	prosody	0.9.5
prosody	prosody	0.9.6
prosody	prosody	0.9.7
prosody	prosody	0.9.8
debian	debian_linux	7.0
debian	debian_linux	8.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*",
              "matchCriteriaId": "253C303A-E577-4488-93E6-68A8DD942C38",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*",
              "matchCriteriaId": "E79AB8DD-C907-4038-A931-1A5A4CFB6A5B",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:prosody:prosody:0.9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "69BF8C97-A90B-4F1D-9300-F8BF411BDF69",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:prosody:prosody:0.9.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "B70430C5-9AA2-46D5-B7DD-ED08CB980F47",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:prosody:prosody:0.9.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "19FFAE24-10BB-4F88-A0BF-105B4B6A702D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:prosody:prosody:0.9.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "668FF630-38DC-44BF-ACC8-2F519B788175",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:prosody:prosody:0.9.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "DADDF029-1D55-4B48-B535-BBF677B10C29",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:prosody:prosody:0.9.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "DB07BA0E-AA91-4773-AC6C-63C825D6D114",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:prosody:prosody:0.9.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "A6E8D0F2-485E-441A-94F5-5FEF084B38F8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:prosody:prosody:0.9.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "D2251303-150D-439D-9AE3-A0B61379A0B4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:prosody:prosody:0.9.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "8B6A57A5-A666-4F09-9618-55C9AFF7383B",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Directory traversal vulnerability in the HTTP file-serving module (mod_http_files) in Prosody 0.9.x before 0.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) in an unspecified path."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad de salto de directorio en el m\u00f3dulo HTTP file-serving (mod_http_files) en Prosody 0.9.x en versiones anteriores a 0.9.9 permite a atacantes remotos leer archivos arbitrarios a trav\u00e9s de un .. (punto punto) en una ruta no especificada."
    }
  ],
  "id": "CVE-2016-1231",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2016-01-12T20:59:09.167",
  "references": [
    {
      "source": "security@debian.org",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://blog.prosody.im/prosody-0-9-9-security-release/"
    },
    {
      "source": "security@debian.org",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html"
    },
    {
      "source": "security@debian.org",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html"
    },
    {
      "source": "security@debian.org",
      "url": "http://www.debian.org/security/2016/dsa-3439"
    },
    {
      "source": "security@debian.org",
      "url": "http://www.openwall.com/lists/oss-security/2016/01/08/5"
    },
    {
      "source": "security@debian.org",
      "url": "https://prosody.im/issues/issue/520"
    },
    {
      "source": "security@debian.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://prosody.im/security/advisory_20160108-1/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://blog.prosody.im/prosody-0-9-9-security-release/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.debian.org/security/2016/dsa-3439"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.openwall.com/lists/oss-security/2016/01/08/5"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://prosody.im/issues/issue/520"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://prosody.im/security/advisory_20160108-1/"
    }
  ],
  "sourceIdentifier": "security@debian.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CVE-2016-1231 (GCVE-0-2016-1231)

Vulnerability from cvelistv5 – Published: 2016-01-12 20:00 – Updated: 2024-08-05 22:48

Summary

Severity ?

No CVSS data available.

CWE

Assigner

debian

References

URL

Tags

	http://lists.fedoraproject.org/pipermail/package-…	vendor-advisoryx_refsource_FEDORA
	https://prosody.im/issues/issue/520	x_refsource_CONFIRM
	http://lists.fedoraproject.org/pipermail/package-…	vendor-advisoryx_refsource_FEDORA
	http://www.debian.org/security/2016/dsa-3439	vendor-advisoryx_refsource_DEBIAN
	http://blog.prosody.im/prosody-0-9-9-security-release/	x_refsource_CONFIRM
	https://prosody.im/security/advisory_20160108-1/	x_refsource_CONFIRM
	http://www.openwall.com/lists/oss-security/2016/01/08/5	mailing-listx_refsource_MLIST

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T22:48:13.660Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "FEDORA-2016-e289f41b76",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://prosody.im/issues/issue/520"
          },
          {
            "name": "FEDORA-2016-38e48069f8",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html"
          },
          {
            "name": "DSA-3439",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2016/dsa-3439"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://blog.prosody.im/prosody-0-9-9-security-release/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://prosody.im/security/advisory_20160108-1/"
          },
          {
            "name": "[oss-security] 20160108 CVE-2016-1231, CVE-2016-1232: Prosody XMPP server multiple vulnerabilities",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2016/01/08/5"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-01-08T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Directory traversal vulnerability in the HTTP file-serving module (mod_http_files) in Prosody 0.9.x before 0.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) in an unspecified path."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2016-06-01T20:57:01",
        "orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
        "shortName": "debian"
      },
      "references": [
        {
          "name": "FEDORA-2016-e289f41b76",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://prosody.im/issues/issue/520"
        },
        {
          "name": "FEDORA-2016-38e48069f8",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html"
        },
        {
          "name": "DSA-3439",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2016/dsa-3439"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://blog.prosody.im/prosody-0-9-9-security-release/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://prosody.im/security/advisory_20160108-1/"
        },
        {
          "name": "[oss-security] 20160108 CVE-2016-1231, CVE-2016-1232: Prosody XMPP server multiple vulnerabilities",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2016/01/08/5"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@debian.org",
          "ID": "CVE-2016-1231",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Directory traversal vulnerability in the HTTP file-serving module (mod_http_files) in Prosody 0.9.x before 0.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) in an unspecified path."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "FEDORA-2016-e289f41b76",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html"
            },
            {
              "name": "https://prosody.im/issues/issue/520",
              "refsource": "CONFIRM",
              "url": "https://prosody.im/issues/issue/520"
            },
            {
              "name": "FEDORA-2016-38e48069f8",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html"
            },
            {
              "name": "DSA-3439",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2016/dsa-3439"
            },
            {
              "name": "http://blog.prosody.im/prosody-0-9-9-security-release/",
              "refsource": "CONFIRM",
              "url": "http://blog.prosody.im/prosody-0-9-9-security-release/"
            },
            {
              "name": "https://prosody.im/security/advisory_20160108-1/",
              "refsource": "CONFIRM",
              "url": "https://prosody.im/security/advisory_20160108-1/"
            },
            {
              "name": "[oss-security] 20160108 CVE-2016-1231, CVE-2016-1232: Prosody XMPP server multiple vulnerabilities",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2016/01/08/5"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
    "assignerShortName": "debian",
    "cveId": "CVE-2016-1231",
    "datePublished": "2016-01-12T20:00:00",
    "dateReserved": "2015-12-27T00:00:00",
    "dateUpdated": "2024-08-05T22:48:13.660Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

FKIE_CVE-2016-1231

CVE-2016-1231 (GCVE-0-2016-1231)

Tags

Sightings

Nomenclature