jvndb - jvndb-2024-000111

jvndb-2024-000111

Vulnerability from jvndb

Published

2024-10-16 14:12

Modified

2024-10-23 17:35

Severity ?

8.6 (High) - cvssV3_0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Summary

SHIRASAGI vulnerable to path traversal

Details

SHIRASAGI provided by SHIRASAGI Project processes URLs in HTTP requests improperly, resulting in a path traversal vulnerability (CWE-22). Shogo Kumamaru of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

References

Type

URL

	JVN	https://jvn.jp/en/jp/JVN58721679/index.html
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-46898
	Path Traversal(CWE-22)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html

Impacted products

Vendor

Product

SHIRASAGI Project

Show details on JVN DB website

To clipboard

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000111.html",
  "dc:date": "2024-10-23T17:35+09:00",
  "dcterms:issued": "2024-10-16T14:12+09:00",
  "dcterms:modified": "2024-10-23T17:35+09:00",
  "description": "SHIRASAGI provided by SHIRASAGI Project processes URLs in HTTP requests improperly, resulting in a path traversal vulnerability (CWE-22).\r\n\r\nShogo Kumamaru of LAC Co., Ltd. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
  "link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000111.html",
  "sec:cpe": {
    "#text": "cpe:/a:ss-proj:shirasagi",
    "@product": "SHIRASAGI",
    "@vendor": "SHIRASAGI Project",
    "@version": "2.2"
  },
  "sec:cvss": {
    "@score": "8.6",
    "@severity": "High",
    "@type": "Base",
    "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
    "@version": "3.0"
  },
  "sec:identifier": "JVNDB-2024-000111",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/jp/JVN58721679/index.html",
      "@id": "JVN#58721679",
      "@source": "JVN"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-46898",
      "@id": "CVE-2024-46898",
      "@source": "CVE"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-22",
      "@title": "Path Traversal(CWE-22)"
    }
  ],
  "title": "SHIRASAGI vulnerable to path traversal"
}

CVE-2024-46898 (GCVE-0-2024-46898)

Vulnerability from cvelistv5

Published

2024-10-15 06:10

Modified

2024-10-23 04:58

Severity ?

8.6 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CWE

CWE-22 - Improper limitation of a pathname to a restricted directory ('Path Traversal')

Summary

SHIRASAGI prior to v1.19.1 processes URLs in HTTP requests improperly, resulting in a path traversal vulnerability. If this vulnerability is exploited, arbitrary files on the server may be retrieved when processing crafted HTTP requests.

References

URL

Tags

	https://github.com/shirasagi/shirasagi/commit/5ac4685d7e4330f949f13219069107fc5d768934
	https://www.ss-proj.org/
	https://jvn.jp/en/jp/JVN58721679/

Impacted products

	Vendor	Product	Version
	SHIRASAGI Project	SHIRASAGI	Version: prior to v1.19.1

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:ss-proj:shirasagi:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "affected",
            "product": "shirasagi",
            "vendor": "ss-proj",
            "versions": [
              {
                "lessThan": "1.19.1",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-46898",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-15T13:46:04.867617Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-15T13:48:49.696Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "SHIRASAGI",
          "vendor": "SHIRASAGI Project",
          "versions": [
            {
              "status": "affected",
              "version": "prior to v1.19.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SHIRASAGI prior to v1.19.1 processes URLs in HTTP requests improperly, resulting in a path traversal vulnerability. If this vulnerability is exploited, arbitrary files on the server may be retrieved when processing crafted HTTP requests."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "Improper limitation of a pathname to a restricted directory (\u0027Path Traversal\u0027)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-23T04:58:28.816Z",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "url": "https://github.com/shirasagi/shirasagi/commit/5ac4685d7e4330f949f13219069107fc5d768934"
        },
        {
          "url": "https://www.ss-proj.org/"
        },
        {
          "url": "https://jvn.jp/en/jp/JVN58721679/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2024-46898",
    "datePublished": "2024-10-15T06:10:30.968Z",
    "dateReserved": "2024-10-04T06:36:35.246Z",
    "dateUpdated": "2024-10-23T04:58:28.816Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.