Common Weakness Enumeration

CWE-178

Allowed

Improper Handling of Case Sensitivity

Abstraction: Base · Status: Incomplete

The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.

136 vulnerabilities reference this CWE, most recent first.

CVE-2024-32879 (GCVE-0-2024-32879)

Vulnerability from cvelistv5 – Published: 2024-04-24 19:42 – Updated: 2024-08-02 02:20
VLAI
Title
social-auth-app-django Improper Handling of Case Sensitivity vulnerability
Summary
Python Social Auth is a social authentication/registration mechanism. Prior to version 5.4.1, due to default case-insensitive collation in MySQL or MariaDB databases, third-party authentication user IDs are not case-sensitive and could cause different IDs to match. This issue has been addressed by a fix released in version 5.4.1. An immediate workaround would be to change collation of the affected field.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-178 - Improper Handling of Case Sensitivity
  • CWE-303 - Incorrect Implementation of Authentication Algorithm
Assigner
Impacted products
Vendor Product Version
python-social-auth social-app-django Affected: < 5.4.1
Create a notification for this product.
python-social-auth social-app-django Affected: 0 , < 5.4.1 (custom)
    cpe:2.3:a:python-social-auth:social-app-django:*:*:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:python-social-auth:social-app-django:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "social-app-django",
            "vendor": "python-social-auth",
            "versions": [
              {
                "lessThan": "5.4.1",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-32879",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-29T19:27:52.308869Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:51:12.451Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T02:20:35.665Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/python-social-auth/social-app-django/security/advisories/GHSA-2gr8-3wc7-xhj3",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/python-social-auth/social-app-django/security/advisories/GHSA-2gr8-3wc7-xhj3"
          },
          {
            "name": "https://github.com/python-social-auth/social-app-django/pull/566",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/python-social-auth/social-app-django/pull/566"
          },
          {
            "name": "https://github.com/python-social-auth/social-app-django/commit/31c3e0c7edb187004d8abbde7e9c4f7ef9098138",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/python-social-auth/social-app-django/commit/31c3e0c7edb187004d8abbde7e9c4f7ef9098138"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "social-app-django",
          "vendor": "python-social-auth",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 5.4.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Python Social Auth is a social authentication/registration mechanism. Prior to version 5.4.1, due to default case-insensitive collation in MySQL or MariaDB databases, third-party authentication user IDs are not case-sensitive and could cause different IDs to match. This issue has been addressed by a fix released in version 5.4.1. An immediate workaround would be to change collation of the affected field."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-178",
              "description": "CWE-178: Improper Handling of Case Sensitivity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-303",
              "description": "CWE-303: Incorrect Implementation of Authentication Algorithm",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-04-24T19:42:14.642Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/python-social-auth/social-app-django/security/advisories/GHSA-2gr8-3wc7-xhj3",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/python-social-auth/social-app-django/security/advisories/GHSA-2gr8-3wc7-xhj3"
        },
        {
          "name": "https://github.com/python-social-auth/social-app-django/pull/566",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/python-social-auth/social-app-django/pull/566"
        },
        {
          "name": "https://github.com/python-social-auth/social-app-django/commit/31c3e0c7edb187004d8abbde7e9c4f7ef9098138",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/python-social-auth/social-app-django/commit/31c3e0c7edb187004d8abbde7e9c4f7ef9098138"
        }
      ],
      "source": {
        "advisory": "GHSA-2gr8-3wc7-xhj3",
        "discovery": "UNKNOWN"
      },
      "title": "social-auth-app-django Improper Handling of Case Sensitivity vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-32879",
    "datePublished": "2024-04-24T19:42:14.642Z",
    "dateReserved": "2024-04-19T14:07:11.230Z",
    "dateUpdated": "2024-08-02T02:20:35.665Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-23331 (GCVE-0-2024-23331)

Vulnerability from cvelistv5 – Published: 2024-01-19 19:43 – Updated: 2025-06-17 21:19
VLAI
Title
Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem
Summary
Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since `picomatch` defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. This issue has been addressed in vite@5.0.12, vite@4.5.2, vite@3.2.8, and vite@2.9.17. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-178 - Improper Handling of Case Sensitivity
  • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
  • CWE-284 - Improper Access Control
Assigner
Impacted products
Vendor Product Version
vitejs vite Affected: >=2.7.0, < 2.9.17
Affected: >=3.0.0, <3.2.8
Affected: >=4.0.0, < 4.5.2
Affected: >=5.0.0, < 5.0.12
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T22:59:32.203Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw"
          },
          {
            "name": "https://github.com/vitejs/vite/commit/91641c4da0a011d4c5352e88fc68389d4e1289a5",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/vitejs/vite/commit/91641c4da0a011d4c5352e88fc68389d4e1289a5"
          },
          {
            "name": "https://vitejs.dev/config/server-options.html#server-fs-deny",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://vitejs.dev/config/server-options.html#server-fs-deny"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-23331",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-01-22T14:54:35.729020Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-17T21:19:25.323Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vite",
          "vendor": "vitejs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e=2.7.0, \u003c 2.9.17"
            },
            {
              "status": "affected",
              "version": "\u003e=3.0.0, \u003c3.2.8"
            },
            {
              "status": "affected",
              "version": "\u003e=4.0.0, \u003c 4.5.2"
            },
            {
              "status": "affected",
              "version": "\u003e=5.0.0, \u003c 5.0.12"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since `picomatch` defaults to case-sensitive glob matching, but the file server doesn\u0027t discriminate; a blacklist bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. This issue has been addressed in vite@5.0.12, vite@4.5.2, vite@3.2.8, and vite@2.9.17. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-178",
              "description": "CWE-178: Improper Handling of Case Sensitivity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284: Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-19T19:43:17.404Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw"
        },
        {
          "name": "https://github.com/vitejs/vite/commit/91641c4da0a011d4c5352e88fc68389d4e1289a5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vitejs/vite/commit/91641c4da0a011d4c5352e88fc68389d4e1289a5"
        },
        {
          "name": "https://vitejs.dev/config/server-options.html#server-fs-deny",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://vitejs.dev/config/server-options.html#server-fs-deny"
        }
      ],
      "source": {
        "advisory": "GHSA-c24v-8rfc-w8vw",
        "discovery": "UNKNOWN"
      },
      "title": "Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-23331",
    "datePublished": "2024-01-19T19:43:17.404Z",
    "dateReserved": "2024-01-15T15:19:19.442Z",
    "dateUpdated": "2025-06-17T21:19:25.323Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-6866 (GCVE-0-2024-6866)

Vulnerability from cvelistv5 – Published: 2025-03-20 10:10 – Updated: 2025-11-03 19:34
VLAI
Title
Case-Insensitive Path Matching in corydolphin/flask-cors
Summary
corydolphin/flask-cors version 4.01 contains a vulnerability where the request path matching is case-insensitive due to the use of the `try_match` function, which is originally intended for matching hosts. This results in a mismatch because paths in URLs are case-sensitive, but the regex matching treats them as case-insensitive. This misconfiguration can lead to significant security vulnerabilities, allowing unauthorized origins to access paths meant to be restricted, resulting in data exposure and potential data leaks.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-178 - Improper Handling of Case Sensitivity
Assigner
Impacted products
Vendor Product Version
corydolphin corydolphin/flask-cors Affected: unspecified , ≤ latest (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-6866",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-20T17:47:43.885682Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-20T18:14:35.722Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:34:42.290Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00049.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "corydolphin/flask-cors",
          "vendor": "corydolphin",
          "versions": [
            {
              "lessThanOrEqual": "latest",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "corydolphin/flask-cors version 4.01 contains a vulnerability where the request path matching is case-insensitive due to the use of the `try_match` function, which is originally intended for matching hosts. This results in a mismatch because paths in URLs are case-sensitive, but the regex matching treats them as case-insensitive. This misconfiguration can lead to significant security vulnerabilities, allowing unauthorized origins to access paths meant to be restricted, resulting in data exposure and potential data leaks."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-178",
              "description": "CWE-178 Improper Handling of Case Sensitivity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-20T10:10:59.521Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntr_ai"
      },
      "references": [
        {
          "url": "https://huntr.com/bounties/808c11af-faee-43a8-824b-b5ab4f62b9e6"
        }
      ],
      "source": {
        "advisory": "808c11af-faee-43a8-824b-b5ab4f62b9e6",
        "discovery": "EXTERNAL"
      },
      "title": "Case-Insensitive Path Matching in corydolphin/flask-cors"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntr_ai",
    "cveId": "CVE-2024-6866",
    "datePublished": "2025-03-20T10:10:59.521Z",
    "dateReserved": "2024-07-17T21:09:41.423Z",
    "dateUpdated": "2025-11-03T19:34:42.290Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-4759 (GCVE-0-2023-4759)

Vulnerability from cvelistv5 – Published: 2023-09-12 09:12 – Updated: 2024-08-02 07:37
VLAI
Title
Improper handling of case insensitive filesystems in Eclipse JGit allows arbitrary file write
Summary
Arbitrary File Overwrite in Eclipse JGit <= 6.6.0 In Eclipse JGit, all versions <= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem. This can happen on checkout (DirCacheCheckout), merge (ResolveMerger via its WorkingTreeUpdater), pull (PullCommand using merge), and when applying a patch (PatchApplier). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command. The issue occurs only on case-insensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration. Setting git configuration option core.symlinks = false before checking out avoids the problem. The issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via Maven Central https://repo1.maven.org/maven2/org/eclipse/jgit/  and repo.eclipse.org https://repo.eclipse.org/content/repositories/jgit-releases/ . A backport is available in 5.13.3 starting from 5.13.3.202401111512-r. The JGit maintainers would like to thank RyotaK for finding and reporting this issue.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-59 - Improper Link Resolution Before File Access ('Link Following')
  • CWE-178 - Improper Handling of Case Sensitivity
Assigner
Impacted products
Vendor Product Version
Eclipse Foundation Eclipse JGit Affected: 0.0.0 , ≤ 6.6.0.202305301015-r (semver)
Unaffected: 5.13.3.202401111512-r
Create a notification for this product.
eclipse jgit Affected: 0 , ≤ 6.6.0.202305301015-r (semver)
    cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:*
Create a notification for this product.
eclipse jgit Unaffected: 5.13.3.202401111512-r
    cpe:2.3:a:eclipse:jgit:5.13.3.202401111512-r:*:*:*:*:*:*:*
Create a notification for this product.
Date Public
2023-09-12 10:00
Credits
RyotaK
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "jgit",
            "vendor": "eclipse",
            "versions": [
              {
                "lessThanOrEqual": "6.6.0.202305301015-r",
                "status": "affected",
                "version": "0",
                "versionType": "semver"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:eclipse:jgit:5.13.3.202401111512-r:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "jgit",
            "vendor": "eclipse",
            "versions": [
              {
                "status": "unaffected",
                "version": "5.13.3.202401111512-r"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-4759",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-19T03:55:38.083883Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-19T13:51:38.023Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T07:37:59.574Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/11"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://projects.eclipse.org/projects/technology.jgit/releases/6.6.1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.eclipse.org/c/jgit/jgit.git/commit/?id=9072103f3b3cf64dd12ad2949836ab98f62dabf1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://git.eclipse.org/c/jgit/jgit.git/",
          "defaultStatus": "unaffected",
          "product": "Eclipse JGit",
          "vendor": "Eclipse Foundation",
          "versions": [
            {
              "lessThanOrEqual": "6.6.0.202305301015-r",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "  5.13.3.202401111512-r"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "RyotaK"
        }
      ],
      "datePublic": "2023-09-12T10:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eArbitrary File Overwrite in Eclipse JGit \u0026lt;= 6.6.0\u003c/p\u003e\u003cp\u003eIn Eclipse JGit, all versions \u0026lt;= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem.\u003c/p\u003e\u003cp\u003eThis can happen on checkout (\u003ccode\u003eDirCacheCheckout\u003c/code\u003e), merge (\u003ccode\u003eResolveMerger\u003c/code\u003e\u0026nbsp;via its \u003ccode\u003eWorkingTreeUpdater\u003c/code\u003e), pull (\u003ccode\u003ePullCommand\u003c/code\u003e\u0026nbsp;using merge), and when applying a patch (\u003ccode\u003ePatchApplier\u003c/code\u003e). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command.\u003c/p\u003e\u003cp\u003eThe issue occurs only on case-\u003cstrong\u003ein\u003c/strong\u003esensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration.\u003c/p\u003e\u003cp\u003eSetting git configuration option \u003ccode\u003ecore.symlinks = false\u003c/code\u003e\u0026nbsp;before checking out avoids the problem.\u003c/p\u003e\u003cp\u003eThe issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://repo1.maven.org/maven2/org/eclipse/jgit/\"\u003eMaven Central\u003c/a\u003e\u0026nbsp;and \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://repo.eclipse.org/content/repositories/jgit-releases/\"\u003erepo.eclipse.org\u003c/a\u003e. A backport is available in 5.13.3 starting from  5.13.3.202401111512-r.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThe JGit maintainers would like to thank RyotaK for finding and reporting this issue.\u003cbr\u003e\u003c/p\u003e\u003cbr\u003e"
            }
          ],
          "value": "Arbitrary File Overwrite in Eclipse JGit \u003c= 6.6.0\n\nIn Eclipse JGit, all versions \u003c= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem.\n\nThis can happen on checkout (DirCacheCheckout), merge (ResolveMerger\u00a0via its WorkingTreeUpdater), pull (PullCommand\u00a0using merge), and when applying a patch (PatchApplier). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command.\n\nThe issue occurs only on case-insensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration.\n\nSetting git configuration option core.symlinks = false\u00a0before checking out avoids the problem.\n\nThe issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via  Maven Central https://repo1.maven.org/maven2/org/eclipse/jgit/ \u00a0and  repo.eclipse.org https://repo.eclipse.org/content/repositories/jgit-releases/ . A backport is available in 5.13.3 starting from  5.13.3.202401111512-r.\n\n\nThe JGit maintainers would like to thank RyotaK for finding and reporting this issue.\n\n\n\n"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-132",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-132 Symlink Attack"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-178",
              "description": "CWE-178 Improper Handling of Case Sensitivity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-12T15:21:24.101Z",
        "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
        "shortName": "eclipse"
      },
      "references": [
        {
          "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/11"
        },
        {
          "url": "https://projects.eclipse.org/projects/technology.jgit/releases/6.6.1"
        },
        {
          "url": "https://git.eclipse.org/c/jgit/jgit.git/commit/?id=9072103f3b3cf64dd12ad2949836ab98f62dabf1"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Improper handling of case insensitive filesystems in Eclipse JGit allows arbitrary file write",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eSetting git configuration option \u003ccode\u003ecore.symlinks = false\u003c/code\u003e\u0026nbsp;before checking out avoids the problem.\u003c/p\u003e"
            }
          ],
          "value": "Setting git configuration option core.symlinks = false\u00a0before checking out avoids the problem.\n\n"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
    "assignerShortName": "eclipse",
    "cveId": "CVE-2023-4759",
    "datePublished": "2023-09-12T09:12:10.254Z",
    "dateReserved": "2023-09-04T16:06:00.689Z",
    "dateUpdated": "2024-08-02T07:37:59.574Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-3545 (GCVE-0-2023-3545)

Vulnerability from cvelistv5 – Published: 2023-11-28 07:07 – Updated: 2024-08-02 07:01
VLAI
Title
Chamilo LMS Htaccess File Upload Security Bypass
Summary
Improper sanitisation in `main/inc/lib/fileUpload.lib.php` in Chamilo LMS <= v1.11.20 on Windows and Apache installations allows unauthenticated attackers to bypass file upload security protections and obtain remote code execution via uploading of `.htaccess` file. This vulnerability may be exploited by privileged attackers or chained with unauthenticated arbitrary file write vulnerabilities, such as CVE-2023-3533, to achieve remote code execution.
CWE
  • CWE-178 - Improper Handling of Case Sensitivity
Assigner
Impacted products
Vendor Product Version
Chamilo Chamilo Affected: 0 , ≤ 1.11.20 (semver)
Create a notification for this product.
Credits
Ngo Wei Lin (@Creastery) of STAR Labs SG Pte. Ltd. (@starlabs_sg)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T07:01:57.437Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://support.chamilo.org/projects/chamilo-18/wiki/security_issues#Issue-125-2023-07-13-Critical-impact-Moderate-risk-Htaccess-File-Upload-Security-Bypass-on-Windows-CVE-2023-3545"
          },
          {
            "tags": [
              "third-party-advisory",
              "x_transferred"
            ],
            "url": "https://starlabs.sg/advisories/23/23-3545/"
          },
          {
            "tags": [
              "patch",
              "x_transferred"
            ],
            "url": "https://github.com/chamilo/chamilo-lms/commit/dc7bfce429fbd843a95a57c184b6992c4d709549"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Windows"
          ],
          "product": "Chamilo",
          "repo": "https://github.com/chamilo/chamilo-lms/",
          "vendor": "Chamilo",
          "versions": [
            {
              "lessThanOrEqual": "1.11.20",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Ngo Wei Lin (@Creastery) of STAR Labs SG Pte. Ltd. (@starlabs_sg)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper sanitisation in `main/inc/lib/fileUpload.lib.php` in Chamilo LMS \u0026lt;= v1.11.20 on Windows and Apache installations allows unauthenticated attackers to bypass file upload security protections and obtain remote code execution via uploading of `.htaccess` file. This vulnerability may be exploited by privileged attackers or chained with unauthenticated arbitrary file write vulnerabilities, such as CVE-2023-3533, to achieve remote code execution."
            }
          ],
          "value": "Improper sanitisation in `main/inc/lib/fileUpload.lib.php` in Chamilo LMS \u003c= v1.11.20 on Windows and Apache installations allows unauthenticated attackers to bypass file upload security protections and obtain remote code execution via uploading of `.htaccess` file. This vulnerability may be exploited by privileged attackers or chained with unauthenticated arbitrary file write vulnerabilities, such as CVE-2023-3533, to achieve remote code execution."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-650",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-650 Upload a Web Shell to a Web Server"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-178",
              "description": "CWE-178 Improper Handling of Case Sensitivity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-11-28T07:07:27.183Z",
        "orgId": "b1571b85-cbc9-431f-830b-0c8155323a69",
        "shortName": "STAR_Labs"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://support.chamilo.org/projects/chamilo-18/wiki/security_issues#Issue-125-2023-07-13-Critical-impact-Moderate-risk-Htaccess-File-Upload-Security-Bypass-on-Windows-CVE-2023-3545"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://starlabs.sg/advisories/23/23-3545/"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/chamilo/chamilo-lms/commit/dc7bfce429fbd843a95a57c184b6992c4d709549"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Chamilo LMS Htaccess File Upload Security Bypass",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b1571b85-cbc9-431f-830b-0c8155323a69",
    "assignerShortName": "STAR_Labs",
    "cveId": "CVE-2023-3545",
    "datePublished": "2023-11-28T07:07:27.183Z",
    "dateReserved": "2023-07-07T13:10:48.745Z",
    "dateUpdated": "2024-08-02T07:01:57.437Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-39155 (GCVE-0-2021-39155)

Vulnerability from cvelistv5 – Published: 2021-08-24 22:25 – Updated: 2024-08-04 01:58
VLAI
Title
Authorization Policy Bypass Due to Case Insensitive Host Comparison
Summary
Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed. As an example, the user may have an authorization policy that rejects request with hostname "httpbin.foo" for some source IPs, but the attacker can bypass this by sending the request with hostname "Httpbin.Foo". Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize Host header before the authorization check. This is similar to the Path normalization presented in the [Security Best Practices](https://istio.io/latest/docs/ops/best-practices/security/#case-normalization) guide.
CWE
  • CWE-178 - Improper Handling of Case Sensitivity
Assigner
References
Impacted products
Vendor Product Version
istio istio Affected: <= 1.9.8
Affected: >= 1.10.0, < 1.10.4
Affected: >= 1.11.0, < 1.11.1
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T01:58:18.140Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/istio/istio/security/advisories/GHSA-7774-7vr3-cc8j"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://datatracker.ietf.org/doc/html/rfc4343"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "istio",
          "vendor": "istio",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 1.9.8"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.10.0, \u003c 1.10.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.11.0, \u003c 1.11.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed. As an example, the user may have an authorization policy that rejects request with hostname \"httpbin.foo\" for some source IPs, but the attacker can bypass this by sending the request with hostname \"Httpbin.Foo\". Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize Host header before the authorization check. This is similar to the Path normalization presented in the [Security Best Practices](https://istio.io/latest/docs/ops/best-practices/security/#case-normalization) guide."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-178",
              "description": "CWE-178: Improper Handling of Case Sensitivity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-08-24T22:25:17.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/istio/istio/security/advisories/GHSA-7774-7vr3-cc8j"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://datatracker.ietf.org/doc/html/rfc4343"
        }
      ],
      "source": {
        "advisory": "GHSA-7774-7vr3-cc8j",
        "discovery": "UNKNOWN"
      },
      "title": "Authorization Policy Bypass Due to Case Insensitive Host Comparison",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-39155",
          "STATE": "PUBLIC",
          "TITLE": "Authorization Policy Bypass Due to Case Insensitive Host Comparison"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "istio",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c= 1.9.8"
                          },
                          {
                            "version_value": "\u003e= 1.10.0, \u003c 1.10.4"
                          },
                          {
                            "version_value": "\u003e= 1.11.0, \u003c 1.11.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "istio"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed. As an example, the user may have an authorization policy that rejects request with hostname \"httpbin.foo\" for some source IPs, but the attacker can bypass this by sending the request with hostname \"Httpbin.Foo\". Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize Host header before the authorization check. This is similar to the Path normalization presented in the [Security Best Practices](https://istio.io/latest/docs/ops/best-practices/security/#case-normalization) guide."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-178: Improper Handling of Case Sensitivity"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/istio/istio/security/advisories/GHSA-7774-7vr3-cc8j",
              "refsource": "CONFIRM",
              "url": "https://github.com/istio/istio/security/advisories/GHSA-7774-7vr3-cc8j"
            },
            {
              "name": "https://datatracker.ietf.org/doc/html/rfc4343",
              "refsource": "MISC",
              "url": "https://datatracker.ietf.org/doc/html/rfc4343"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-7774-7vr3-cc8j",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-39155",
    "datePublished": "2021-08-24T22:25:18.000Z",
    "dateReserved": "2021-08-16T00:00:00.000Z",
    "dateUpdated": "2024-08-04T01:58:18.140Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-24347 (GCVE-0-2021-24347)

Vulnerability from cvelistv5 – Published: 2021-06-14 13:37 – Updated: 2024-08-03 19:28
VLAI
Title
SP Project & Document Manager <2 4.22 - Authenticated Shell Upload
Summary
The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however, the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that php files could still be uploaded by changing the file extension's case, for example, from "php" to "pHP".
Severity
No CVSS data available.
CWE
  • CWE-178 - Improper Handling of Case Sensitivity
Assigner
Impacted products
Vendor Product Version
Unknown SP Project & Document Manager Affected: 4.22 , < 4.22 (custom)
Create a notification for this product.
Credits
Viktor Markopoulos
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T19:28:23.833Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://wpscan.com/vulnerability/8f6e82d5-c0e9-468e-acb8-7cd549f6a45a"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/163434/WordPress-SP-Project-And-Document-Manager-4.21-Shell-Upload.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/163675/WordPress-SP-Project-And-Document-Remote-Code-Execution.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "SP Project \u0026 Document Manager",
          "vendor": "Unknown",
          "versions": [
            {
              "lessThan": "4.22",
              "status": "affected",
              "version": "4.22",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Viktor Markopoulos"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The SP Project \u0026 Document Manager WordPress plugin before 4.22 allows users to upload files, however, the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that php files could still be uploaded by changing the file extension\u0027s case, for example, from \"php\" to \"pHP\"."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-178",
              "description": "CWE-178 Improper Handling of Case Sensitivity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-01T12:45:43.000Z",
        "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "shortName": "WPScan"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://wpscan.com/vulnerability/8f6e82d5-c0e9-468e-acb8-7cd549f6a45a"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/163434/WordPress-SP-Project-And-Document-Manager-4.21-Shell-Upload.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/163675/WordPress-SP-Project-And-Document-Remote-Code-Execution.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "SP Project \u0026 Document Manager \u003c2 4.22 - Authenticated Shell Upload",
      "x_generator": "WPScan CVE Generator",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "contact@wpscan.com",
          "ID": "CVE-2021-24347",
          "STATE": "PUBLIC",
          "TITLE": "SP Project \u0026 Document Manager \u003c2 4.22 - Authenticated Shell Upload"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "SP Project \u0026 Document Manager",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "4.22",
                            "version_value": "4.22"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Unknown"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Viktor Markopoulos"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The SP Project \u0026 Document Manager WordPress plugin before 4.22 allows users to upload files, however, the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that php files could still be uploaded by changing the file extension\u0027s case, for example, from \"php\" to \"pHP\"."
            }
          ]
        },
        "generator": "WPScan CVE Generator",
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-178 Improper Handling of Case Sensitivity"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://wpscan.com/vulnerability/8f6e82d5-c0e9-468e-acb8-7cd549f6a45a",
              "refsource": "CONFIRM",
              "url": "https://wpscan.com/vulnerability/8f6e82d5-c0e9-468e-acb8-7cd549f6a45a"
            },
            {
              "name": "http://packetstormsecurity.com/files/163434/WordPress-SP-Project-And-Document-Manager-4.21-Shell-Upload.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/163434/WordPress-SP-Project-And-Document-Manager-4.21-Shell-Upload.html"
            },
            {
              "name": "http://packetstormsecurity.com/files/163675/WordPress-SP-Project-And-Document-Remote-Code-Execution.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/163675/WordPress-SP-Project-And-Document-Remote-Code-Execution.html"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
    "assignerShortName": "WPScan",
    "cveId": "CVE-2021-24347",
    "datePublished": "2021-06-14T13:37:12.000Z",
    "dateReserved": "2021-01-14T00:00:00.000Z",
    "dateUpdated": "2024-08-03T19:28:23.833Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-24M3-W8G9-JWPQ

Vulnerability from github – Published: 2020-04-22 20:59 – Updated: 2024-02-06 13:27
VLAI
Summary
Information disclosure of source code in SimpleSAMLphp
Details

Background

The module controller in SimpleSAML\Module that processes requests for pages hosted by modules, has code to identify paths ending with .php and process those as PHP code. If no other suitable way of handling the given path exists it presents the file to the browser.

Description

The check to identify paths ending with .php does not account for uppercase letters. If someone requests a path ending with e.g. .PHP and the server is serving the code from a case-insensitive file system, such as on Windows, the processing of the PHP code does not occur, and the source code is instead presented to the browser.

Affected versions

SimpleSAMLphp versions 1.18.5 and older.

Impact

An attacker may use this issue to gain access to the source code in third-party modules that is meant to be private, or even sensitive. However, the attack surface is considered small, as the attack will only work when SimpleSAMLphp serves such content from a file system that is not case-sensitive, such as on Windows.

Resolution

Upgrade the SimpleSAMLphp installation to version 1.18.6.

Credit

This vulnerability was discovered and reported by Sławek Naczyński.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "simplesamlphp/simplesamlphp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.18.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-5301"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-178",
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-04-21T19:50:30Z",
    "nvd_published_at": "2020-04-21T20:15:00Z",
    "severity": "LOW"
  },
  "details": "### Background\n\nThe module controller in `SimpleSAML\\Module` that processes requests for pages\nhosted by modules, has code to identify paths ending with `.php` and process\nthose as PHP code. If no other suitable way of handling the given path exists it\npresents the file to the browser.\n\n### Description\n\nThe check to identify paths ending with `.php` does not account for uppercase\nletters. If someone requests a path ending with e.g. `.PHP` and the server is\nserving the code from a case-insensitive file system, such as on Windows, the\nprocessing of the PHP code does not occur, and the source code is instead\npresented to the browser.\n\n### Affected versions\n\nSimpleSAMLphp versions **1.18.5 and older**.\n\n### Impact\n\nAn attacker may use this issue to gain access to the source code in third-party\nmodules that is meant to be private, or even sensitive. However, the attack\nsurface is considered small, as the attack will only work when SimpleSAMLphp\nserves such content from a file system that is not case-sensitive, such as on\nWindows.\n\n### Resolution\n\nUpgrade the SimpleSAMLphp installation to version **1.18.6**.\n\n### Credit\n\nThis vulnerability was discovered and reported by S\u0142awek Naczy\u0144ski.",
  "id": "GHSA-24m3-w8g9-jwpq",
  "modified": "2024-02-06T13:27:42Z",
  "published": "2020-04-22T20:59:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-24m3-w8g9-jwpq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5301"
    },
    {
      "type": "WEB",
      "url": "https://github.com/simplesamlphp/simplesamlphp/commit/47968d26a2fd3ed52da70dc09210921d612ce44e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2020-5301.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/simplesamlphp/simplesamlphp"
    },
    {
      "type": "WEB",
      "url": "https://simplesamlphp.org/security/202004-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Information disclosure of source code in SimpleSAMLphp"
}

GHSA-2C2H-2855-MF97

Vulnerability from github – Published: 2025-03-09 15:31 – Updated: 2025-03-25 18:38
VLAI
Summary
Apache Camel: Camel Message Header Injection via Improper Filtering
Details

Bypass/Injection vulnerability in Apache Camel components under particular conditions.

This issue affects Apache Camel: from 4.9.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3.

Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.

This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, to call another method on the bean, than was coded in the application. In the camel-jms component, then a malicious header can be used to send the message to another queue (on the same broker) than was coded in the application. This could also be seen by using the camel-exec component.

The attacker would need to inject custom headers, such as HTTP protocols. So if you have Camel applications that are directly connected to the internet via HTTP, then an attacker could include malicious HTTP headers in the HTTP requests that are send to the Camel application.

All the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable out of the box.

In these conditions an attacker could be able to forge a Camel header name and make the bean component invoking other methods in the same bean.

In terms of usage of the default header filter strategy the list of components using that is:

  • camel-activemq
  • camel-activemq6
  • camel-amqp
  • camel-aws2-sqs
  • camel-azure-servicebus
  • camel-cxf-rest
  • camel-cxf-soap
  • camel-http
  • camel-jetty
  • camel-jms
  • camel-kafka
  • camel-knative
  • camel-mail
  • camel-nats
  • camel-netty-http
  • camel-platform-http
  • camel-rest
  • camel-sjms
  • camel-spring-rabbitmq
  • camel-stomp
  • camel-tahu
  • camel-undertow
  • camel-xmpp

The vulnerability arises due to a bug in the default filtering mechanism that only blocks headers starting with "Camel", "camel", or "org.apache.camel.".

Mitigation: You can easily work around this in your Camel applications by removing the headers in your Camel routes. There are many ways of doing this, also globally or per route. This means you could use the removeHeaders EIP, to filter out anything like "cAmel, cAMEL" etc, or in general everything not starting with "Camel", "camel" or "org.apache.camel.".

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.camel:camel-support"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.10.0"
            },
            {
              "fixed": "3.22.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.camel:camel-support"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-M1"
            },
            {
              "fixed": "4.8.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.camel:camel-support"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.9.0"
            },
            {
              "fixed": "4.10.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-27636"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-178"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-10T20:49:46Z",
    "nvd_published_at": "2025-03-09T13:15:34Z",
    "severity": "MODERATE"
  },
  "details": "Bypass/Injection vulnerability in Apache Camel components under particular conditions.\n\nThis issue affects Apache Camel: from 4.9.0 through \u003c= 4.10.1, from 4.8.0 through \u003c= 4.8.4, from 3.10.0 through \u003c= 3.22.3.\n\nUsers are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.\n\nThis vulnerability is present in Camel\u0027s default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, to call another method on the bean, than was coded in the application. In the `camel-jms` component, then a malicious header can be used to send the message to another queue (on the same broker) than was coded in the application. This could also be seen by using the camel-exec component.\n\nThe attacker would need to inject custom headers, such as HTTP protocols. So if you have Camel applications that are directly connected to the internet via HTTP, then an attacker could include malicious HTTP headers in the HTTP requests that are send to the Camel application.\n\nAll the known Camel HTTP component such as `camel-servlet`, `camel-jetty`, `camel-undertow`, `camel-platform-http`, and `camel-netty-http` would be vulnerable out of the box.\n\nIn these conditions an attacker could be able to forge a Camel header name and make the bean component invoking other methods in the same bean.\n\nIn terms of usage of the default header filter strategy the list of components using that is: \n\n  *  camel-activemq\n  *  camel-activemq6\n  *  camel-amqp\n  *  camel-aws2-sqs\n  *  camel-azure-servicebus\n  *  camel-cxf-rest\n  *  camel-cxf-soap\n  *  camel-http\n  *  camel-jetty\n  *  camel-jms\n  *  camel-kafka\n  *  camel-knative\n  *  camel-mail\n  *  camel-nats\n  *  camel-netty-http\n  *  camel-platform-http\n  *  camel-rest\n  *  camel-sjms\n  *  camel-spring-rabbitmq\n  *  camel-stomp\n  *  camel-tahu\n  *  camel-undertow\n  *  camel-xmpp\n\nThe vulnerability arises due to a bug in the default filtering mechanism that only blocks headers starting with \"Camel\", \"camel\", or \"org.apache.camel.\". \n\nMitigation: You can easily work around this in your Camel applications by removing the headers in your Camel routes. There are many ways of doing this, also globally or per route. This means you could use the removeHeaders EIP, to filter out anything like \"cAmel, cAMEL\" etc, or in general everything not starting with \"Camel\", \"camel\" or \"org.apache.camel.\".",
  "id": "GHSA-2c2h-2855-mf97",
  "modified": "2025-03-25T18:38:07Z",
  "published": "2025-03-09T15:31:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27636"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/camel/commit/23a833eec6131a3cdce6e4b1b40b3ac2035b6adf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/camel/commit/45a6b74f7f8af8fd58f197566938a9534392a624"
    },
    {
      "type": "WEB",
      "url": "https://camel.apache.org/security/CVE-2025-27636.html"
    },
    {
      "type": "WEB",
      "url": "https://github.com/akamai/CVE-2025-27636-Apache-Camel-PoC/blob/main/src/main/java/com/example/camel/VulnerableCamel.java"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/camel"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/camel/blob/camel-4.9.0/core/camel-support/src/main/java/org/apache/camel/support/DefaultHeaderFilterStrategy.java"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/CAMEL-21828"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/l3zcg3vts88bmc7w8172wkgw610y693z"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/03/09/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Apache Camel: Camel Message Header Injection via Improper Filtering"
}

GHSA-2GR8-3WC7-XHJ3

Vulnerability from github – Published: 2024-04-24 18:47 – Updated: 2024-08-28 20:09
VLAI
Summary
social-auth-app-django affected by Improper Handling of Case Sensitivity
Details

Impact

Due to default case-insensitive collation in MySQL or MariaDB databases, third-party authentication user IDs are not case-sensitive and could cause different IDs to match.

Patches

This issue has been addressed by https://github.com/python-social-auth/social-app-django/pull/566 and fix released in 5.4.1.

Workarounds

An immediate workaround would be to change collation of the affected field:

ALTER TABLE `social_auth_usersocialauth` MODIFY `uid` varchar(255) COLLATE `utf8_bin`;

References

This issue was discovered by folks at https://opencraft.com/.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "social-auth-app-django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-32879"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-178",
      "CWE-303"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-24T18:47:21Z",
    "nvd_published_at": "2024-04-24T20:15:07Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nDue to default case-insensitive collation in MySQL or MariaDB databases, third-party authentication user IDs are not case-sensitive and could cause different IDs to match.\n\n### Patches\nThis issue has been addressed by https://github.com/python-social-auth/social-app-django/pull/566 and fix released in 5.4.1.\n\n### Workarounds\nAn immediate workaround would be to change collation of the affected field:\n\n```mysql\nALTER TABLE `social_auth_usersocialauth` MODIFY `uid` varchar(255) COLLATE `utf8_bin`;\n```\n\n### References\nThis issue was discovered by folks at https://opencraft.com/.\n",
  "id": "GHSA-2gr8-3wc7-xhj3",
  "modified": "2024-08-28T20:09:46Z",
  "published": "2024-04-24T18:47:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/python-social-auth/social-app-django/security/advisories/GHSA-2gr8-3wc7-xhj3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32879"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python-social-auth/social-app-django/pull/566"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python-social-auth/social-app-django/commit/31c3e0c7edb187004d8abbde7e9c4f7ef9098138"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/python-social-auth/social-app-django"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "social-auth-app-django affected by Improper Handling of Case Sensitivity"
}

Mitigation MIT-44
Architecture and Design

Strategy: Input Validation

Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-20
Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

No CAPEC attack patterns related to this CWE.