GHSA-qg5v-jw6f-rpfj

Source

https://github.com/advisories/GHSA-qg5v-jw6f-rpfj

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qg5v-jw6f-rpfj/GHSA-qg5v-jw6f-rpfj.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qg5v-jw6f-rpfj

Aliases

CVE-2013-1939

Published

2022-05-14T01:52:20Z

Modified

2024-12-04T05:29:58.274167Z

Summary

SabreDAV Directory Traversal vulnerability

Details

The HTML\Browser plugin in SabreDAV before 1.6.9, 1.7.x before 1.7.7, and 1.8.x before 1.8.5, as used in ownCloud, when running on Windows, does not properly check path separators in the base path, which allows remote attackers to read arbitrary files via a \ (backslash) character.

Database specific

{
    "nvd_published_at": "2014-03-14T16:55:00Z",
    "cwe_ids": [
        "CWE-20",
        "CWE-22"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-07T15:45:57Z"
}

References

Affected packages

Packagist / sabre/dav

Package

Name: sabre/dav
Purl: pkg:composer/sabre/dav

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.7.0

Fixed

1.7.7

Affected versions

1.*

1.7.0

1.7.1

1.7.2

1.7.3

1.7.4

1.7.5

1.7.6

Packagist / sabre/dav

Package

Name: sabre/dav
Purl: pkg:composer/sabre/dav

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.8.0

Fixed

1.8.5

Affected versions

1.*

1.8.0

1.8.1

1.8.2

1.8.3

1.8.4

Packagist / sabre/dav

Package

Name: sabre/dav
Purl: pkg:composer/sabre/dav

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.6.0

Fixed

1.6.9

Affected versions

1.*

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.6.6

1.6.7

1.6.8