CVE-2009-3898: Directory traversal vulnerability in src/http/modules/ngx_http_dav_module.c in nginx (aka Engine X) before 0.7.63, and 0.8.x before 0.8.17, allows remote…

medium4.9CVSS 3.1

AVNACMAuSCPIPAN

EXPLOIT

Directory traversal vulnerability in src/http/modules/ngx_http_dav_module.c in nginx (aka Engine X) before 0.7.63, and 0.8.x before 0.8.17, allows remote authenticated users to create or overwrite arbitrary files via a .. (dot dot) in the Destination HTTP header for the WebDAV (1) COPY or (2) MOVE method.

Affected

290 ranges· showing 25

Vendor	Product	Version range	Fixed in
debian	nginx	< nginx 0.7.63-1 (bookworm)	nginx 0.7.63-1 (bookworm)
f5	nginx	<= 0.7.62	—
f5	nginx	—	—
f5	nginx	—	—
f5	nginx	—	—
f5	nginx	—	—
f5	nginx	—	—
f5	nginx	—	—
f5	nginx	—	—
f5	nginx	—	—
f5	nginx	—	—
f5	nginx	—	—
f5	nginx	—	—
f5	nginx	—	—
f5	nginx	—	—
f5	nginx	—	—
f5	nginx	—	—
f5	nginx	—	—
f5	nginx	—	—
f5	nginx	—	—
f5	nginx	—	—
f5	nginx	—	—
f5	nginx	—	—
f5	nginx	—	—
f5	nginx	—	—

CVSS provenance

nvd4.9MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:N

osv4.9MEDIUM