CVE-2020-29600

In AWStats through 7.7, cgi-bin/awstats.pl?config= accepts an absolute pathname, even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501.

References

Affected packages

Git / github.com/eldy/awstats

Affected ranges

Type

GIT

Repo

https://github.com/eldy/awstats

Events

Introduced

Last affected

24543ca5891e3eb1a76a92528fde0a4bec4a25a8

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "7.7"
        }
    ]
}

Affected versions

7.*

7.5

7.6

Other

AWSTATS_4_0_BETA

AWSTATS_4_0_RELEASE

AWSTATS_4_1_BETA

AWSTATS_4_1_RELEASE

AWSTATS_5_0_BETA

AWSTATS_5_0_RELEASE

AWSTATS_5_1_BETA

AWSTATS_5_2_BETA

AWSTATS_5_3_BETA

AWSTATS_5_3_RELEASE

AWSTATS_5_4_RELEASE

AWSTATS_5_5_BETA

AWSTATS_5_5_RELEASE

AWSTATS_5_6_BETA

AWSTATS_5_6_RELEASE

AWSTATS_5_7_BETA

AWSTATS_5_8_BETA

AWSTATS_5_8_RELEASE

AWSTATS_5_9_BETA

AWSTATS_5_9_RELEASE

AWSTATS_6_1_BETA

AWSTATS_6_1_RELEASE

AWSTATS_6_8

AWSTATS_6_8_BETA

AWSTATS_6_9

AWSTATS_6_95_BETA

AWSTATS_6_95_RC

AWSTATS_7_0

AWSTATS_7_0_BETA2

AWSTATS_7_0_BETA3

AWSTATS_7_1

AWSTATS_7_1_BETA2

AWSTATS_7_1_BETA3

AWSTATS_7_2

AWSTATS_7_3

AWSTATS_7_4

AWSTATS_7_5

AWSTATS_7_6

AWSTATS_7_7

Database specific

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "9.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "32"
            }
        ]
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-29600.json"