SB2018010542 - Path traversal in awstats (Alpine package)
Published: January 5, 2018
Security Bulletin ID
SB2018010542
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Path traversal (CVE-ID: CVE-2017-1000501)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the "config" and "migrate" parameters resulting in unauthenticated remote code execution.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=ba01dda3b383b59969819d20506faa39f648f34a
- https://git.alpinelinux.org/aports/commit/?id=48618eb748ee1f5f69d7d36a8cf247f48b45a141
- https://git.alpinelinux.org/aports/commit/?id=56ce34d2e4f8ef34b2a1c237c109a036c080b190
- https://git.alpinelinux.org/aports/commit/?id=c52351538aa06d77293fe7e936dee8361fb3967c
- https://git.alpinelinux.org/aports/commit/?id=eb8d8205d9a12bae6f021d8971775705a6958507