Description
redhat-certification does not properly restrict files that can be download through the /download page. A remote attacker may download any file accessible by the user running httpd.
References (3)
Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/105061
Issue Tracking, Mitigation, Vendor Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10869
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2373
Scores
CVSS v3
7.5
EPSS
0.0053
EPSS Percentile
67.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-552
CWE-732
Status
published
Products (2)
redhat/certification
redhat/enterprise_linux
7.0
Published
Jul 19, 2018
Tracked Since
Feb 18, 2026