Published:2024/10/15 Last Updated:2024/10/23
JVN#58721679
SHIRASAGI vulnerable to path traversal
Overview
SHIRASAGI provided by SHIRASAGI Project contains a path traversal vulnerability.
Products Affected
- SHIRASAGI versions prior to v1.19.1
Description
SHIRASAGI provided by SHIRASAGI Project processes URLs in HTTP requests improperly, resulting in a path traversal vulnerability (CWE-22).
Impact
When processing crafted HTTP requests, arbitrary files on the server may be retrieved.
Solution
Update the software
Update the software to the latest version according to the information provided by the developer.
The developer has released the following version that address the vulnerability.
- SHIRASAGI v1.19.1
Vendor Status
| Vendor | Link |
| SHIRASAGI Project | Commit 5ac4685: [fix] directory traversal possibility (#5427) |
| SHIRASAGI Official Website (Text in Japanese) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
CVSS v3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Base Score:
8.6
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Credit
Shogo Kumamaru of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2024-46898 |
| JVN iPedia |
JVNDB-2024-000111 |
Update History
- 2024/10/23
- Developer name under the section [Overview] and [Description], and information under the section [Credit] were updated