GHSA-xm6j-x342-gwq9

Source

https://github.com/advisories/GHSA-xm6j-x342-gwq9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-xm6j-x342-gwq9/GHSA-xm6j-x342-gwq9.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-xm6j-x342-gwq9

Aliases

CVE-2019-16409

Published

2019-11-12T23:01:05Z

Modified

2024-02-17T05:36:29.755002Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

SilverStripe Versioned Files module Unpublished files are exposed publicly

Details

In the Versioned Files module through 2.0.3 for SilverStripe 3.x, unpublished versions of files are publicly exposed to anyone who can guess their URL. This guess could be highly informed by a basic understanding of the symbiote/silverstripe-versionedfiles source code. (Users who upgrade from SilverStripe 3.x to 4.x and had Versioned Files installed have no further need for this module, because the 4.x release has built-in versioning. However, nothing in the upgrade process automates the destruction of these insecure artefacts, nor alerts the user to the criticality of destruction.)

Database specific

{
    "github_reviewed_at": "2019-11-12T22:54:36Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "nvd_published_at": "2019-09-26T16:15:00Z"
}

References

Affected packages

Packagist / symbiote/silverstripe-versionedfiles

Package

Name: symbiote/silverstripe-versionedfiles
Purl: pkg:composer/symbiote/silverstripe-versionedfiles

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

2.0.3

Affected versions

1.*

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.0.10

1.0.11

1.0.12

1.0.13

2.*

2.0.0

2.0.1

2.0.2

2.0.3

Packagist / silverstripe/framework

Package

Name: silverstripe/framework
Purl: pkg:composer/silverstripe/framework

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.3.5

Affected versions

4.*

4.0.0

4.0.1-rc1

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.0.7

4.1.0-rc1

4.1.0-rc2

4.1.0

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

4.2.0-beta1

4.2.0

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.3.0-rc1

4.3.0

4.3.1

4.3.2

4.3.3

4.3.4

Packagist / silverstripe/framework

Package

Name: silverstripe/framework
Purl: pkg:composer/silverstripe/framework

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.4.0

Fixed

4.4.4

Affected versions

4.*

4.4.0

4.4.1

4.4.2

4.4.3