An issue was discovered in GCDWebServer before 3.5.3. The method moveItem in the GCDWebUploader class checks the FileExtension of newAbsolutePath but not oldAbsolutePath. By leveraging this vulnerability, an adversary can make an inaccessible file be available (the credential of the app, for instance).
References
Link | Resource |
---|---|
https://github.com/swisspol/GCDWebServer/commit/02738433bf2e1b820ef48f04edd15df304081802 | Patch Third Party Advisory |
https://github.com/swisspol/GCDWebServer/compare/3.5.2...3.5.3 | Patch Third Party Advisory |
https://github.com/swisspol/GCDWebServer/issues/433 | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2019-08-10T18:34:17
Updated: 2019-08-10T18:34:17
Reserved: 2019-08-10T00:00:00
Link: CVE-2019-14924
JSON object: View
NVD Information
Status : Analyzed
Published: 2019-08-10T19:15:10.920
Modified: 2021-07-21T11:39:23.747
Link: CVE-2019-14924
JSON object: View
Redhat Information
No data.
CWE