Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2009-3898Path Traversal in F5 Nginx

CWE-22Path Traversal6 documents6 sources
Severity
4.9MEDIUMNVD
EPSS
1.1%
top 22.15%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
F5 NginxNginx
Timeline
PublishedNov 24
Latest updateMay 2

Description

Directory traversal vulnerability in src/http/modules/ngx_http_dav_module.c in nginx (aka Engine X) before 0.7.63, and 0.8.x before 0.8.17, allows remote authenticated users to create or overwrite arbitrary files via a .. (dot dot) in the Destination HTTP header for the WebDAV (1) COPY or (2) MOVE method.

CVSS vector

AV:N/AC:M/C:P/I:P/A:NExploitability: 6.8 | Impact: 4.9

Affected Packages3 packages

Debianf5/nginx< 0.7.63-1+3
NVDf5/nginx0.7.62+283
NVDnginx/nginx0.6.1516

Patches

Patch: marc.infoPatch: marc.infoPatch: marc.info

🔴Vulnerability Details

3
GHSA
GHSA-787j-9hgf-jxj6: Directory traversal vulnerability in src/http/modules/ngx_http_dav_module2022-05-02
CVEList
CVE-2009-3898: Directory traversal vulnerability in src/http/modules/ngx_http_dav_module2009-11-24
OSV
CVE-2009-3898: Directory traversal vulnerability in src/http/modules/ngx_http_dav_module2009-11-24

💥Exploits & PoCs

1
Exploit-DB
Nginx 0.7.61 - WebDAV Directory Traversal2009-09-23

📋Vendor Advisories

1
Debian
CVE-2009-3898: nginx - Directory traversal vulnerability in src/http/modules/ngx_http_dav_module.c in n...2009
CVE-2009-3898 — Path Traversal in F5 Nginx | cvebase