CVE-2015-8748

MEDIUM

Radicale < 1.0.1 - Access Control

Title source: rule

Description

Radicale before 1.1 allows remote authenticated users to bypass owner_write and owner_only limitations via regex metacharacters in the user name, as demonstrated by ".*".

References (8)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/80255

[Patch, Vendor Advisory] https://github.com/Kozea/Radicale/pull/341

[Patch] https://github.com/Unrud/Radicale/commit/4bfe7c9f7991d534c8b9fbe153af9d341f925f98

[Mailing List, Third Party Advisory] http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175738.html

[Mailing List, Third Party Advisory] http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175776.html

[Third Party Advisory] http://www.debian.org/security/2016/dsa-3462

[Mailing List] http://www.openwall.com/lists/oss-security/2016/01/05/7

[Mailing List] http://www.openwall.com/lists/oss-security/2016/01/06/4

Scores

CVSS v3 5.3

EPSS 0.0057

EPSS Percentile 68.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Classification

CWE

CWE-264

Status draft

Affected Products (2)

radicale/radicale < 1.0.1

pypi/Radicale < 1.1PyPI

Timeline

Published Feb 03, 2016

Tracked Since Feb 18, 2026