---

CVE-2020-35176 - log back

CVE-2020-35176 edited at 26 Mar 2021 12:01:17
Type	- Information disclosure + Directory traversal
Description	- In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501 and CVE-2020-29600. + In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it was intended to only read a file in the /etc/awstats/awstats.conf format. This issue exists because of an incomplete fix for CVE-2017-1000501 and CVE-2020-29600.

CVE-2020-35176 edited at 18 Mar 2021 11:38:55
References	https://github.com/eldy/awstats/issues/195 https://github.com/eldy/awstats/pull/196 - https://github.com/eldy/AWStats/commit/96756d7f40e002cc1e6ba72c633fb66b92e54f49 + https://github.com/eldy/AWStats/commit/0d4d4c05f8e73be8f71dd361dc55cbd52858b823

CVE-2020-35176 edited at 18 Jan 2021 14:30:32
References	https://github.com/eldy/awstats/issues/195 https://github.com/eldy/awstats/pull/196 + https://github.com/eldy/AWStats/commit/96756d7f40e002cc1e6ba72c633fb66b92e54f49

CVE-2020-35176 edited at 02 Jan 2021 11:15:46
References	https://github.com/eldy/awstats/issues/195 + https://github.com/eldy/awstats/pull/196

CVE-2020-35176 edited at 12 Dec 2020 17:33:49
Severity	- Unknown + High
Remote	- Unknown + Remote
Type	- Unknown + Information disclosure
Description	+ In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501 and CVE-2020-29600.
References	+ https://github.com/eldy/awstats/issues/195
Notes

CVE-2020-35176 created at 12 Dec 2020 17:31:36