CVE-2015-8747

CRITICAL

Radicale < 1.1 - Unauthenticated Arbitrary File Read and Write via Multifilesystem Storage Backend

Title source: llm
STIX 2.1

Description

The multifilesystem storage backend in Radicale before 1.1 allows remote attackers to read or write to arbitrary files via a crafted component name.

References (9)

Core 9
Core References
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2016/01/06/7
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/80255
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2016/01/05/7
Patch x_refsource_confirm
https://github.com/Kozea/Radicale/pull/343
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2016/dsa-3462
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175776.html
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2016/01/06/4
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175738.html

Scores

CVSS v3 10.0
EPSS 0.0295
EPSS Percentile 85.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Details

CWE
CWE-20
Status published
Products (2)
pypi/Radicale 0 - 1.1PyPI
radicale/radicale < 1.0.1
Published Feb 03, 2016
Tracked Since Feb 18, 2026