JVN#36791327: Multiple vulnerabilities in FitNesse

Overview

FitNesse provided by unclebob contains multiple vulnerabilities.

Products Affected

FitNesse releases prior to 20241026

Description

FitNesse provided by unclebob contains multiple vulnerabilities listed below.

Cross-site scripting (CWE-79)
- CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score 6.1
- CVE-2024-39610
Path traversal (CWE-22)
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Base Score 5.3
- CVE-2024-42499

Impact

An arbitrary script may be executed on the web browser of the user who is using the product (CVE-2024-39610)
An attacker may be able to know whether a file exists at a specific path, and/or obtain some part of the file contents under specific conditions (CVE-2024-42499)

Solution

Update the software
Update the software to the latest version according to the information provided by the developer.
The developer fixed the vulnerability in the following version:

FitNesse release 20241026

Vendor Status

Vendor	Link
unclebob	Release 20241026 / fitnesse · GitHub
	FitNess Official release

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Takeshi Kaneko of GMO Cybersecurity by Ierae, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE	CVE-2024-39610
	CVE-2024-42499
JVN iPedia	JVNDB-2024-000119

Update History

2024/11/20: Information under the section [Description] was updated

JVN#36791327 Multiple vulnerabilities in FitNesse