CVE-2020-35176 - log back

CVE-2020-35176 edited at 26 Mar 2021 12:01:17
Type
- Information disclosure
+ Directory traversal
Description
- In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501 and CVE-2020-29600.
+ In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it was intended to only read a file in the /etc/awstats/awstats.conf format. This issue exists because of an incomplete fix for CVE-2017-1000501 and CVE-2020-29600.
CVE-2020-35176 edited at 18 Mar 2021 11:38:55
References
https://github.com/eldy/awstats/issues/195
https://github.com/eldy/awstats/pull/196
- https://github.com/eldy/AWStats/commit/96756d7f40e002cc1e6ba72c633fb66b92e54f49
+ https://github.com/eldy/AWStats/commit/0d4d4c05f8e73be8f71dd361dc55cbd52858b823
CVE-2020-35176 edited at 18 Jan 2021 14:30:32
References
https://github.com/eldy/awstats/issues/195
https://github.com/eldy/awstats/pull/196
+ https://github.com/eldy/AWStats/commit/96756d7f40e002cc1e6ba72c633fb66b92e54f49
CVE-2020-35176 edited at 02 Jan 2021 11:15:46
References
https://github.com/eldy/awstats/issues/195
+ https://github.com/eldy/awstats/pull/196
CVE-2020-35176 edited at 12 Dec 2020 17:33:49
Severity
- Unknown
+ High
Remote
- Unknown
+ Remote
Type
- Unknown
+ Information disclosure
Description
+ In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501 and CVE-2020-29600.
References
+ https://github.com/eldy/awstats/issues/195
Notes
CVE-2020-35176 created at 12 Dec 2020 17:31:36