CVE-2019-13343 - OpenCVE

Butor Portal before 1.0.27 is affected by a Path Traversal vulnerability leading to a pre-authentication arbitrary file download. Effectively, a remote anonymous user can download any file on servers running Butor Portal. WhiteLabelingServlet is responsible for this vulnerability. It does not properly sanitize user input on the theme t parameter before reusing it in a path. This path is then used without validation to fetch a file and return its raw content to the user via the /wl?t=../../...&h= substring followed by a filename.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Butor	Portal

Configuration 1 [-]

cpe:2.3:a:butor:portal:*:*:*:*:*:*:*:*

References

Link	Resource
https://bitbucket.org/account/user/butor-team/projects/PROJ	Third Party Advisory
https://bitbucket.org/butor-team/portal/commits/all	Third Party Advisory
https://bitbucket.org/butor-team/portal/commits/cd7055d33e194fcf530100ee1d8d13aa9cde230b	Patch Third Party Advisory
https://bitbucket.org/butor-team/portal/src/cd7055d33e194fcf530100ee1d8d13aa9cde230b/src/main/java/com/butor/portal/web/servlet/WhiteLabelingServlet.java?at=master	Exploit Third Party Advisory
https://www.gosecure.net/blog/2019/09/30/butor-portal-arbitrary-file-download-vulnerability-cve-2019-13343	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2019-10-02T15:49:29

Updated: 2019-10-02T15:49:29

Reserved: 2019-07-05T00:00:00

Link: CVE-2019-13343

JSON object: View

NVD Information

Status : Modified

Published: 2019-10-02T16:15:14.227

Modified: 2019-10-09T23:46:26.263

Link: CVE-2019-13343

JSON object: View

Redhat Information

No data.

CWE

CWE-22

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Butor Portal before 1.0.27 is affected by a Path Traversal vulnerability leading to a pre-authentication arbitrary file download. Effectively, a remote anonymous user can download any file on servers running Butor Portal. WhiteLabelingServlet is responsible for this vulnerability. It does not properly sanitize user input on the theme t parameter before reusing it in a path. This path is then used without validation to fetch a file and return its raw content to the user via the /wl?t=../../...&h= substring followed by a filename."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AC:L/AV:N/A:L/C:H/I:L/PR:N/S:C/UI:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-10-02T15:49:29", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bitbucket.org/account/user/butor-team/projects/PROJ"}, {"tags": ["x_refsource_MISC"], "url": "https://bitbucket.org/butor-team/portal/commits/cd7055d33e194fcf530100ee1d8d13aa9cde230b"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bitbucket.org/butor-team/portal/src/cd7055d33e194fcf530100ee1d8d13aa9cde230b/src/main/java/com/butor/portal/web/servlet/WhiteLabelingServlet.java?at=master"}, {"tags": ["x_refsource_MISC"], "url": "https://www.gosecure.net/blog/2019/09/30/butor-portal-arbitrary-file-download-vulnerability-cve-2019-13343"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bitbucket.org/butor-team/portal/commits/all"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-13343", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Butor Portal before 1.0.27 is affected by a Path Traversal vulnerability leading to a pre-authentication arbitrary file download. Effectively, a remote anonymous user can download any file on servers running Butor Portal. WhiteLabelingServlet is responsible for this vulnerability. It does not properly sanitize user input on the theme t parameter before reusing it in a path. This path is then used without validation to fetch a file and return its raw content to the user via the /wl?t=../../...&h= substring followed by a filename."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AC:L/AV:N/A:L/C:H/I:L/PR:N/S:C/UI:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://bitbucket.org/account/user/butor-team/projects/PROJ", "refsource": "MISC", "url": "https://bitbucket.org/account/user/butor-team/projects/PROJ"}, {"name": "https://bitbucket.org/butor-team/portal/commits/cd7055d33e194fcf530100ee1d8d13aa9cde230b", "refsource": "MISC", "url": "https://bitbucket.org/butor-team/portal/commits/cd7055d33e194fcf530100ee1d8d13aa9cde230b"}, {"name": "https://bitbucket.org/butor-team/portal/src/cd7055d33e194fcf530100ee1d8d13aa9cde230b/src/main/java/com/butor/portal/web/servlet/WhiteLabelingServlet.java?at=master", "refsource": "CONFIRM", "url": "https://bitbucket.org/butor-team/portal/src/cd7055d33e194fcf530100ee1d8d13aa9cde230b/src/main/java/com/butor/portal/web/servlet/WhiteLabelingServlet.java?at=master"}, {"name": "https://www.gosecure.net/blog/2019/09/30/butor-portal-arbitrary-file-download-vulnerability-cve-2019-13343", "refsource": "MISC", "url": "https://www.gosecure.net/blog/2019/09/30/butor-portal-arbitrary-file-download-vulnerability-cve-2019-13343"}, {"name": "https://bitbucket.org/butor-team/portal/commits/all", "refsource": "CONFIRM", "url": "https://bitbucket.org/butor-team/portal/commits/all"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-13343", "datePublished": "2019-10-02T15:49:29", "dateReserved": "2019-07-05T00:00:00", "dateUpdated": "2019-10-02T15:49:29", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:butor:portal:*:*:*:*:*:*:*:*", "matchCriteriaId": "904DEE00-3731-42B7-A42C-2CE7F64E7307", "versionEndExcluding": "1.0.27", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Butor Portal before 1.0.27 is affected by a Path Traversal vulnerability leading to a pre-authentication arbitrary file download. Effectively, a remote anonymous user can download any file on servers running Butor Portal. WhiteLabelingServlet is responsible for this vulnerability. It does not properly sanitize user input on the theme t parameter before reusing it in a path. This path is then used without validation to fetch a file and return its raw content to the user via the /wl?t=../../...&h= substring followed by a filename."}, {"lang": "es", "value": "Butor Portal versiones anteriores a 1.0.27, est\u00e1 afectado por una vulnerabilidad de Salto de Ruta conllevando a una descarga de archivos arbitrarios previa a la autenticaci\u00f3n. Efectivamente, un usuario an\u00f3nimo remoto puede descargar cualquier archivo en servidores ejecutando Butor Portal. La funci\u00f3n WhiteLabelingServlet es responsable de esta vulnerabilidad. No sanea apropiadamente la entrada del usuario en el par\u00e1metro t del tema antes de reutilizarlo en una ruta. Esta ruta luego es usada sin comprobaci\u00f3n para recuperar un archivo y devolver su contenido crudo para el usuario por medio de la subcadena /wl?t=../../...&h= seguida por un nombre de archivo."}], "id": "CVE-2019-13343", "lastModified": "2019-10-09T23:46:26.263", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.3, "source": "cve@mitre.org", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-10-02T16:15:14.227", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://bitbucket.org/account/user/butor-team/projects/PROJ"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://bitbucket.org/butor-team/portal/commits/all"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://bitbucket.org/butor-team/portal/commits/cd7055d33e194fcf530100ee1d8d13aa9cde230b"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://bitbucket.org/butor-team/portal/src/cd7055d33e194fcf530100ee1d8d13aa9cde230b/src/main/java/com/butor/portal/web/servlet/WhiteLabelingServlet.java?at=master"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.gosecure.net/blog/2019/09/30/butor-portal-arbitrary-file-download-vulnerability-cve-2019-13343"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}