CVE-2019-14924

Published: Aug 10, 2019Modified: Nov 21, 2024

7.5

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

An issue was discovered in GCDWebServer before 3.5.3. The method moveItem in the GCDWebUploader class checks the FileExtension of newAbsolutePath but not oldAbsolutePath. By leveraging this vulnerability, an adversary can make an inaccessible file be available (the credential of the app, for instance).

Affected (1)

Products: Gcdwebserver Project: Gcdwebserver

Gcdwebserver Project

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Gcdwebserver Project Gcdwebserver	Before 3.5.3

Related CWEs

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (6)

https://github.com/swisspol/GCDWebServer/commit/02738433bf2e1b820ef48f04edd15df304081802

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/swisspol/GCDWebServer/compare/3.5.2...3.5.3

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/swisspol/GCDWebServer/issues/433

Source: cve@mitre.org

Third Party Advisory

https://github.com/swisspol/GCDWebServer/commit/02738433bf2e1b820ef48f04edd15df304081802

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/swisspol/GCDWebServer/compare/3.5.2...3.5.3

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/swisspol/GCDWebServer/issues/433

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.