CVE-2019-14511 — Missing Authentication for Critical Function in Sphinx

CWE-306 — Missing Authentication for Critical Function CWE-22 — Path Traversal10 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.8%

top 26.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Sphinxsearch Sphinxsearch Sphinx Debian Linux

Timeline

PublishedAug 22

Latest updateMay 24

Description

Sphinx Technologies Sphinx 3.1.1 by default has no authentication and listens on 0.0.0.0, making it exposed to the internet (unless filtered by a firewall or reconfigured to listen to 127.0.0.1 only).

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶debiandebian/sphinxsearch< sphinxsearch 2.2.11-3 (bookworm)+1

▶NVDsphinxsearch/sphinx3.1.1+1

Also affects: Debian Linux 9.0

🔴Vulnerability Details

GHSA

GHSA-w8f6-g5xv-w78j: Sphinx Technologies Sphinx 3↗2022-05-24

▶

GHSA

GHSA-4g2j-rgw2-wmrw: SphinxSearch in Sphinx Technologies Sphinx through 3↗2022-01-11

▶

OSV

CVE-2020-29050: SphinxSearch in Sphinx Technologies Sphinx through 3↗2022-01-10

▶

OSV

CVE-2019-14511: Sphinx Technologies Sphinx 3↗2019-08-22

▶

📋Vendor Advisories

Debian

CVE-2020-29050: sphinxsearch - SphinxSearch in Sphinx Technologies Sphinx through 3.1.1 allows directory traver...↗2020

▶

Debian

CVE-2019-14511: sphinxsearch - Sphinx Technologies Sphinx 3.1.1 by default has no authentication and listens on...↗2019

▶

💬Community

Bugzilla

CVE-2019-14511 sphinx: no authentication and listens on 0.0.0.0 leads to information disclosure↗2019-09-05

▶

Bugzilla

CVE-2019-14511 sphinx: no authentication and listens on 0.0.0.0 leads to information disclosure [fedora-all]↗2019-09-05

▶