CVE-2013-4885
published 2013-10-26CVE-2013-4885: The http-domino-enum-passwords.nse script in NMap before 6.40, when domino-enum-passwords.idpath is set, allows remote servers to upload "arbitrarily named"…
PriorityP342medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
7.22%
93.5th percentile
The http-domino-enum-passwords.nse script in NMap before 6.40, when domino-enum-passwords.idpath is set, allows remote servers to upload "arbitrarily named" files via a crafted FullName parameter in a response, as demonstrated using directory traversal sequences.
Affected
87 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | nmap | < nmap 6.40-0.1 (bookworm) | nmap 6.40-0.1 (bookworm) |
| nmap | nmap | <= 6.25 | — |
| nmap | nmap | — | — |
| nmap | nmap | — | — |
| nmap | nmap | — | — |
| nmap | nmap | — | — |
| nmap | nmap | — | — |
| nmap | nmap | — | — |
| nmap | nmap | — | — |
| nmap | nmap | — | — |
| nmap | nmap | — | — |
| nmap | nmap | — | — |
| nmap | nmap | — | — |
| nmap | nmap | — | — |
| nmap | nmap | — | — |
| nmap | nmap | — | — |
| nmap | nmap | — | — |
| nmap | nmap | — | — |
| nmap | nmap | — | — |
| nmap | nmap | — | — |
| nmap | nmap | — | — |
| nmap | nmap | — | — |
| nmap | nmap | — | — |
| nmap | nmap | — | — |
| nmap | nmap | — | — |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.8LOW
vendor_redhat6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jrx5-35w9-xj26: The http-domino-enum-passwords
ghsa_unreviewed·2022-05-14
CVE-2013-4885 [MEDIUM] GHSA-jrx5-35w9-xj26: The http-domino-enum-passwords
The http-domino-enum-passwords.nse script in NMap before 6.40, when domino-enum-passwords.idpath is set, allows remote servers to upload "arbitrarily named" files via a crafted FullName parameter in a response, as demonstrated using directory traversal sequences.
OSV
CVE-2013-4885: The http-domino-enum-passwords
osv·2013-10-26·CVSS 6.8
CVE-2013-4885 [MEDIUM] CVE-2013-4885: The http-domino-enum-passwords
The http-domino-enum-passwords.nse script in NMap before 6.40, when domino-enum-passwords.idpath is set, allows remote servers to upload "arbitrarily named" files via a crafted FullName parameter in a response, as demonstrated using directory traversal sequences.
Red Hat
nmap: arbitrary file upload flaw in http-domino-enum-passwords NSE script
vendor_redhat·2013-08-07·CVSS 6.8
CVE-2013-4885 [MEDIUM] CWE-22 nmap: arbitrary file upload flaw in http-domino-enum-passwords NSE script
nmap: arbitrary file upload flaw in http-domino-enum-passwords NSE script
The http-domino-enum-passwords.nse script in NMap before 6.40, when domino-enum-passwords.idpath is set, allows remote servers to upload "arbitrarily named" files via a crafted FullName parameter in a response, as demonstrated using directory traversal sequences.
Statement: This did not affect the version of nmap as shipped with Red Hat Enterprise Linux 5, as it did not have support for NSE scripts. This issue affects the version of nmap as shipped with Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.
Package: nmap (Red Hat Enterprise Linux 5) - Not affected
Package: nmap (Red Hat Enterprise Linux 6) - Will no
Debian
CVE-2013-4885: nmap - The http-domino-enum-passwords.nse script in NMap before 6.40, when domino-enum-...
vendor_debian·2013·CVSS 6.8
CVE-2013-4885 [MEDIUM] CVE-2013-4885: nmap - The http-domino-enum-passwords.nse script in NMap before 6.40, when domino-enum-...
The http-domino-enum-passwords.nse script in NMap before 6.40, when domino-enum-passwords.idpath is set, allows remote servers to upload "arbitrarily named" files via a crafted FullName parameter in a response, as demonstrated using directory traversal sequences.
Scope: local
bookworm: resolved (fixed in 6.40-0.1)
bullseye: resolved (fixed in 6.40-0.1)
forky: resolved (fixed in 6.40-0.1)
sid: resolved (fixed in 6.40-0.1)
trixie: resolved (fixed in 6.40-0.1)
No detection rules found.
Bugzilla
nmap: CVE-2013-4885 nmap: arbitrary file upload flaw in http-domino-enum-passwords NSE script [fedora-all]
bugzilla·2013-08-16·CVSS 6.8
CVE-2013-4885 [MEDIUM] nmap: CVE-2013-4885 nmap: arbitrary file upload flaw in http-domino-enum-passwords NSE script [fedora-all]
nmap: CVE-2013-4885 nmap: arbitrary file upload flaw in http-domino-enum-passwords NSE script [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Bugzilla
CVE-2013-4885 nmap: arbitrary file upload flaw in http-domino-enum-passwords NSE script
bugzilla·2013-08-09·CVSS 6.8
CVE-2013-4885 [MEDIUM] CVE-2013-4885 nmap: arbitrary file upload flaw in http-domino-enum-passwords NSE script
CVE-2013-4885 nmap: arbitrary file upload flaw in http-domino-enum-passwords NSE script
A flaw in the http-domino-enum-password NSE script for Nmap was discovered [1]. If this script was run with the non-default domino-enum-passwords.idpath parameter against a malicious server, it could cause an arbitrarily named file to be written to the client system with the permissions of the user running the nmap client.
This was corrected in upstream version 6.40 [2] (svn r31576). This svn revision also updates a few other NSE scripts for extra safety.
[1] http://packetstormsecurity.com/files/122719/TWSL2013-025.txt
[2] http://nmap.org/changelog.html
Discussion:
Created attachment 785030
nmap r31576 patch
The svn patch that corrects this flaw and hardens a few other NSE scripts.
---
This did
http://lists.opensuse.org/opensuse-updates/2013-10/msg00030.htmlhttp://lists.opensuse.org/opensuse-updates/2013-10/msg00035.htmlhttp://nmap.org/changelog.htmlhttp://packetstormsecurity.com/files/122719/TWSL2013-025.txthttps://github.com/drk1wi/portspoof/commit/1791fe4e2b9e5b5c8e000551ab60a64a29d924c3https://www.trustwave.com/spiderlabs/advisories/TWSL2013-025.txthttp://lists.opensuse.org/opensuse-updates/2013-10/msg00030.htmlhttp://lists.opensuse.org/opensuse-updates/2013-10/msg00035.htmlhttp://nmap.org/changelog.htmlhttp://packetstormsecurity.com/files/122719/TWSL2013-025.txthttps://github.com/drk1wi/portspoof/commit/1791fe4e2b9e5b5c8e000551ab60a64a29d924c3https://www.trustwave.com/spiderlabs/advisories/TWSL2013-025.txt
2013-10-26
Published