Published:2024/11/15 Last Updated:2024/11/20
JVN#36791327
Multiple vulnerabilities in FitNesse
Overview
FitNesse provided by unclebob contains multiple vulnerabilities.
Products Affected
- FitNesse releases prior to 20241026
Description
FitNesse provided by unclebob contains multiple vulnerabilities listed below.
Impact
- An arbitrary script may be executed on the web browser of the user who is using the product (CVE-2024-39610)
- An attacker may be able to know whether a file exists at a specific path, and/or obtain some part of the file contents under specific conditions (CVE-2024-42499)
Solution
Update the software
Update the software to the latest version according to the information provided by the developer.
The developer fixed the vulnerability in the following version:
- FitNesse release 20241026
Vendor Status
Vendor | Link |
unclebob | Release 20241026 / fitnesse ยท GitHub |
FitNess Official release |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Takeshi Kaneko of GMO Cybersecurity by Ierae, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
JPCERT Alert |
|
JPCERT Reports |
|
CERT Advisory |
|
CPNI Advisory |
|
TRnotes |
|
CVE |
CVE-2024-39610 |
CVE-2024-42499 |
|
JVN iPedia |
JVNDB-2024-000119 |
Update History
- 2024/11/20
- Information under the section [Description] was updated