CVE-2008-4929 - OpenCVE

MyBB (aka MyBulletinBoard) 1.4.2 uses insufficient randomness to compose filenames of uploaded files used as attachments, which makes it easier for remote attackers to read these files by guessing filenames.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Mybb	Mybb

Configuration 1 [-]

cpe:2.3:a:mybb:mybb:1.4.2:*:*:*:*:*:*:*

References

Link	Resource
http://archives.neohapsis.com/archives/bugtraq/2008-10/0203.html	Broken Link Exploit
http://archives.neohapsis.com/archives/fulldisclosure/2008-10/0472.html	Broken Link Exploit
http://www.openwall.com/lists/oss-security/2008/11/01/2	Exploit Mailing List
http://www.securityfocus.com/bid/31936	Broken Link Third Party Advisory VDB Entry
http://www.vupen.com/english/advisories/2008/2967	Broken Link

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2008-11-04T20:00:00

Updated: 2008-11-15T10:00:00

Reserved: 2008-11-04T00:00:00

Link: CVE-2008-4929

JSON object: View

NVD Information

Status : Analyzed

Published: 2008-11-04T21:00:05.957

Modified: 2024-02-14T16:09:48.397

Link: CVE-2008-4929

JSON object: View

Redhat Information

No data.

CWE

CWE-330

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2008-10-27T00:00:00", "descriptions": [{"lang": "en", "value": "MyBB (aka MyBulletinBoard) 1.4.2 uses insufficient randomness to compose filenames of uploaded files used as attachments, which makes it easier for remote attackers to read these files by guessing filenames."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2008-11-15T10:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "31936", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/31936"}, {"name": "20081027 MyBB 1.4.2: Multiple Vulnerabilties", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://archives.neohapsis.com/archives/bugtraq/2008-10/0203.html"}, {"name": "ADV-2008-2967", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2008/2967"}, {"name": "20081027 MyBB 1.4.2: Multiple Vulnerabilties", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://archives.neohapsis.com/archives/fulldisclosure/2008-10/0472.html"}, {"name": "[oss-security] 20081101 CVE request (Fwd: MyBB 1.4.2: Multiple Vulnerabilties)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2008/11/01/2"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2008-4929", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "MyBB (aka MyBulletinBoard) 1.4.2 uses insufficient randomness to compose filenames of uploaded files used as attachments, which makes it easier for remote attackers to read these files by guessing filenames."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "31936", "refsource": "BID", "url": "http://www.securityfocus.com/bid/31936"}, {"name": "20081027 MyBB 1.4.2: Multiple Vulnerabilties", "refsource": "BUGTRAQ", "url": "http://archives.neohapsis.com/archives/bugtraq/2008-10/0203.html"}, {"name": "ADV-2008-2967", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2008/2967"}, {"name": "20081027 MyBB 1.4.2: Multiple Vulnerabilties", "refsource": "FULLDISC", "url": "http://archives.neohapsis.com/archives/fulldisclosure/2008-10/0472.html"}, {"name": "[oss-security] 20081101 CVE request (Fwd: MyBB 1.4.2: Multiple Vulnerabilties)", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2008/11/01/2"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2008-4929", "datePublished": "2008-11-04T20:00:00", "dateReserved": "2008-11-04T00:00:00", "dateUpdated": "2008-11-15T10:00:00", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mybb:mybb:1.4.2:*:*:*:*:*:*:*", "matchCriteriaId": "9503D6C2-DCBC-4720-BE29-34913950407E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "MyBB (aka MyBulletinBoard) 1.4.2 uses insufficient randomness to compose filenames of uploaded files used as attachments, which makes it easier for remote attackers to read these files by guessing filenames."}, {"lang": "es", "value": "MyBB (tambi\u00e9n conocido como MyBulletinBoard) v1.4.2 no emplea suficiente aleatoriedad para componer los nombres de los ficheros que se hayan subido como adjuntos; esto facilita a los atacantes remotos leer estos ficheros deduciendo su nombre."}], "id": "CVE-2008-4929", "lastModified": "2024-02-14T16:09:48.397", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2008-11-04T21:00:05.957", "references": [{"source": "cve@mitre.org", "tags": ["Broken Link", "Exploit"], "url": "http://archives.neohapsis.com/archives/bugtraq/2008-10/0203.html"}, {"source": "cve@mitre.org", "tags": ["Broken Link", "Exploit"], "url": "http://archives.neohapsis.com/archives/fulldisclosure/2008-10/0472.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2008/11/01/2"}, {"source": "cve@mitre.org", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/31936"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://www.vupen.com/english/advisories/2008/2967"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-330"}], "source": "nvd@nist.gov", "type": "Primary"}]}