Vulnerability Details CVE-2020-35176
In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501 and CVE-2020-29600.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.016
EPSS Ranking 80.7%
CVSS Severity
CVSS v3 Score 5.3
CVSS v2 Score 5.0
References
- https://github.com/eldy/awstats/issues/195
- https://lists.debian.org/debian-lts-announce/2020/12/msg00035.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/47QZWKSRZYZFESYTLSW7A6KVKOOPL7IV/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRHYCKLW5VPM6KP2WZW6DCCVHVBG7YCW/
- https://github.com/eldy/awstats/issues/195
- https://lists.debian.org/debian-lts-announce/2020/12/msg00035.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/47QZWKSRZYZFESYTLSW7A6KVKOOPL7IV/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRHYCKLW5VPM6KP2WZW6DCCVHVBG7YCW/
Products affected by CVE-2020-35176
-
cpe:2.3:a:awstats:awstats:1.0
-
cpe:2.3:a:awstats:awstats:4.0
-
cpe:2.3:a:awstats:awstats:4.1
-
cpe:2.3:a:awstats:awstats:5.0
-
cpe:2.3:a:awstats:awstats:5.1
-
cpe:2.3:a:awstats:awstats:5.2
-
cpe:2.3:a:awstats:awstats:5.3
-
cpe:2.3:a:awstats:awstats:5.4
-
cpe:2.3:a:awstats:awstats:5.5
-
cpe:2.3:a:awstats:awstats:5.6
-
cpe:2.3:a:awstats:awstats:5.7
-
cpe:2.3:a:awstats:awstats:5.8
-
cpe:2.3:a:awstats:awstats:5.9
-
cpe:2.3:a:awstats:awstats:6.0
-
cpe:2.3:a:awstats:awstats:6.1
-
cpe:2.3:a:awstats:awstats:6.2
-
cpe:2.3:a:awstats:awstats:6.3
-
cpe:2.3:a:awstats:awstats:6.4
-
cpe:2.3:a:awstats:awstats:6.5
-
cpe:2.3:a:awstats:awstats:6.6
-
cpe:2.3:a:awstats:awstats:6.7
-
cpe:2.3:a:awstats:awstats:6.8
-
cpe:2.3:a:awstats:awstats:6.9
-
cpe:2.3:a:awstats:awstats:6.95
-
cpe:2.3:a:awstats:awstats:7.0
-
cpe:2.3:a:awstats:awstats:7.1
-
cpe:2.3:a:awstats:awstats:7.2
-
cpe:2.3:a:awstats:awstats:7.3
-
cpe:2.3:a:awstats:awstats:7.4
-
cpe:2.3:a:awstats:awstats:7.5
-
cpe:2.3:a:awstats:awstats:7.6
-
cpe:2.3:a:awstats:awstats:7.7
-
cpe:2.3:a:awstats:awstats:7.8
-
cpe:2.3:o:debian:debian_linux:9.0
-
cpe:2.3:o:fedoraproject:fedora:32
-
cpe:2.3:o:fedoraproject:fedora:33