CVE-2016-10320 - OpenCVE

textract before 1.5.0 allows OS Command Injection attacks via a filename in a call to the process function. This may be a remote attack if a web application accepts names of arbitrary uploaded files.

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:M/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Textract Project	Textract

Configuration 1 [-]

cpe:2.3:a:textract_project:textract:*:*:*:*:*:*:*:*

References

Link	Resource
http://seclists.org/oss-sec/2016/q4/442	Exploit Patch Third Party Advisory VDB Entry

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-10-03T16:16:39

Updated: 2022-10-03T16:16:39

Reserved: 2022-10-03T00:00:00

Link: CVE-2016-10320

JSON object: View

NVD Information

Status : Analyzed

Published: 2017-04-06T18:59:00.183

Modified: 2017-04-12T18:02:02.067

Link: CVE-2016-10320

JSON object: View

Redhat Information

No data.

CWE

CWE-78

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:textract_project:textract:*:*:*:*:*:*:*:*", "matchCriteriaId": "3E1CF836-F057-41A6-9318-95805DE449AE", "versionEndIncluding": "1.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "textract before 1.5.0 allows OS Command Injection attacks via a filename in a call to the process function. This may be a remote attack if a web application accepts names of arbitrary uploaded files."}, {"lang": "es", "value": "textract en versiones anteriores a 1.5.0 permite ataques OS de inyecci\u00f3n de comando a trav\u00e9s de un nombre de archivo en una llamada a la funci\u00f3n de proceso. Esto puede ser un ataque remoto si una aplicaci\u00f3n web acepta nombres de archivos subidos arbitrariamente."}], "id": "CVE-2016-10320", "lastModified": "2017-04-12T18:02:02.067", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-04-06T18:59:00.183", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Patch", "Third Party Advisory", "VDB Entry"], "url": "http://seclists.org/oss-sec/2016/q4/442"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}