Vulnerability Details CVE-2020-29600
In AWStats through 7.7, cgi-bin/awstats.pl?config= accepts an absolute pathname, even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.023
EPSS Ranking 83.9%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891469
- https://github.com/eldy/awstats/issues/90
- https://lists.debian.org/debian-lts-announce/2020/12/msg00035.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/47QZWKSRZYZFESYTLSW7A6KVKOOPL7IV/
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891469
- https://github.com/eldy/awstats/issues/90
- https://lists.debian.org/debian-lts-announce/2020/12/msg00035.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/47QZWKSRZYZFESYTLSW7A6KVKOOPL7IV/
Products affected by CVE-2020-29600
-
cpe:2.3:a:awstats:awstats:1.0
-
cpe:2.3:a:awstats:awstats:4.0
-
cpe:2.3:a:awstats:awstats:4.1
-
cpe:2.3:a:awstats:awstats:5.0
-
cpe:2.3:a:awstats:awstats:5.1
-
cpe:2.3:a:awstats:awstats:5.2
-
cpe:2.3:a:awstats:awstats:5.3
-
cpe:2.3:a:awstats:awstats:5.4
-
cpe:2.3:a:awstats:awstats:5.5
-
cpe:2.3:a:awstats:awstats:5.6
-
cpe:2.3:a:awstats:awstats:5.7
-
cpe:2.3:a:awstats:awstats:5.8
-
cpe:2.3:a:awstats:awstats:5.9
-
cpe:2.3:a:awstats:awstats:6.0
-
cpe:2.3:a:awstats:awstats:6.1
-
cpe:2.3:a:awstats:awstats:6.2
-
cpe:2.3:a:awstats:awstats:6.3
-
cpe:2.3:a:awstats:awstats:6.4
-
cpe:2.3:a:awstats:awstats:6.5
-
cpe:2.3:a:awstats:awstats:6.6
-
cpe:2.3:a:awstats:awstats:6.7
-
cpe:2.3:a:awstats:awstats:6.8
-
cpe:2.3:a:awstats:awstats:6.9
-
cpe:2.3:a:awstats:awstats:6.95
-
cpe:2.3:a:awstats:awstats:7.0
-
cpe:2.3:a:awstats:awstats:7.1
-
cpe:2.3:a:awstats:awstats:7.2
-
cpe:2.3:a:awstats:awstats:7.3
-
cpe:2.3:a:awstats:awstats:7.4
-
cpe:2.3:a:awstats:awstats:7.5
-
cpe:2.3:a:awstats:awstats:7.6
-
cpe:2.3:a:awstats:awstats:7.7
-
cpe:2.3:o:debian:debian_linux:9.0
-
cpe:2.3:o:fedoraproject:fedora:32