Vulnerability Name:

CVE-2008-3195 (CCN-45183)

Assigned:2008-08-19
Published:2008-08-19
Updated:2017-09-29
Summary:Directory traversal vulnerability in bin/configure in TWiki before 4.2.3, when a certain step in the installation guide is skipped, allows remote attackers to read arbitrary files via a query string containing a .. (dot dot) in the image variable, and execute arbitrary files via unspecified vectors.
CVSS v3 Severity:7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.0 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
5.5 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-22
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2008-3195

Source: CCN
Type: SA31849
TWiki "image" Directory Traversal and Command Execution

Source: SECUNIA
Type: UNKNOWN
31849

Source: SECUNIA
Type: UNKNOWN
31964

Source: SREASON
Type: UNKNOWN
4265

Source: CCN
Type: TWiki Web site
TWikiTM - A Web Based Collaboration Platform

Source: CONFIRM
Type: Patch
http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-3195

Source: CCN
Type: TWiki SecurityAlert-CVE-2008-3195
Security Alert: Arbitrary code execution in session files (CVE-2008-3195)

Source: CONFIRM
Type: Patch
http://twiki.org/cgi-bin/view/Codev/TWikiRelease04x02x03#4_2_3_Bugfix_Highlights

Source: DEBIAN
Type: DSA-1639
twiki -- command execution

Source: CCN
Type: US-CERT VU#362012
TWiki command execution vulnerability

Source: CERT-VN
Type: US Government Resource
VU#362012

Source: CONFIRM
Type: UNKNOWN
http://www.kb.cert.org/vuls/id/RGII-7JEQ7L

Source: CCN
Type: OSVDB ID: 48221
TWiki bin/configure image Parameter Traversal Arbitrary File Access/Execution

Source: VUPEN
Type: UNKNOWN
ADV-2008-2586

Source: XF
Type: UNKNOWN
twiki-configure-directory-traversal(45182)

Source: XF
Type: UNKNOWN
twiki-configure-image-command-execution(45183)

Source: XF
Type: UNKNOWN
twiki-configure-image-command-execution(45183)

Source: EXPLOIT-DB
Type: UNKNOWN
6269

Vulnerable Configuration:Configuration 1:
  • cpe:/a:twiki:twiki:4.0:*:*:*:*:*:*:*
  • OR cpe:/a:twiki:twiki:4.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:twiki:twiki:4.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:twiki:twiki:4.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:twiki:twiki:4.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:twiki:twiki:4.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:twiki:twiki:4.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:twiki:twiki:4.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:twiki:twiki:4.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:twiki:twiki:4.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:twiki:twiki:4.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:twiki:twiki:4.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:twiki:twiki:*:*:*:*:*:*:*:* (Version <= 4.2.2)

  • Configuration CCN 1:
  • cpe:/a:twiki:twiki:4.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:twiki:twiki:4.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:twiki:twiki:4.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:twiki:twiki:4.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:twiki:twiki:4.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:twiki:twiki:4.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:twiki:twiki:4.2.0:*:*:*:*:*:*:*
  • AND
  • cpe:/o:debian:debian_linux:4.0:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:7915
    P
    DSA-1639 twiki -- command execution
    2015-02-23
    oval:org.mitre.oval:def:20275
    P
    DSA-1639-1 twiki - command execution
    2014-06-23
    oval:org.debian:def:1639
    V
    command execution
    2008-09-19
    BACK
    twiki twiki 4.0
    twiki twiki 4.0.0
    twiki twiki 4.0.1
    twiki twiki 4.0.2
    twiki twiki 4.0.3
    twiki twiki 4.0.4
    twiki twiki 4.0.5
    twiki twiki 4.1.0
    twiki twiki 4.1.1
    twiki twiki 4.1.2
    twiki twiki 4.2.0
    twiki twiki 4.2.1
    twiki twiki *
    twiki twiki 4.0.0
    twiki twiki 4.0.1
    twiki twiki 4.0.2
    twiki twiki 4.0.3
    twiki twiki 4.0.4
    twiki twiki 4.1.2
    twiki twiki 4.2.0
    debian debian linux 4.0