CVE-2019-3816

CWE-22Path Traversal8 documents7 sources
Severity
7.5HIGH
EPSS
0.7%
top 27.18%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
12
Openwsman Project Openwsman[unknown] OpenwsmanFedoraproject Fedora+9 more
Timeline
PublishedMar 14
Latest updateMay 13

Description

Openwsman, versions up to and including 2.6.9, are vulnerable to arbitrary file disclosure because the working directory of openwsmand daemon was set to root directory. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted HTTP request to openwsman server.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages6 packages

CVEListV5[unknown]/openwsmanversions up to and including 2.6.9
NVDopensuse/leap15.0, 42.3+1

Also affects: Fedora 28, 29, 30, Enterprise Linux 8.0, 8.1, 8.2, 8.4, 7.6

🔴Vulnerability Details

3
GHSA
GHSA-966p-p7cq-2frr: Openwsman, versions up to and including 22022-05-13
CVEList
CVE-2019-3816: Openwsman, versions up to and including 22019-03-14
OSV
CVE-2019-3816: Openwsman, versions up to and including 22019-03-14

📋Vendor Advisories

2
Red Hat
openwsman: Disclosure of arbitrary files outside of the registered URIs2019-03-12
Microsoft
Openwsman versions up to and including 2.6.9 are vulnerable to arbitrary file disclosure because the working directory of openwsmand daemon was set to root directory. A remote unauthenticated attacker2019-03-12

💬Community

2
Bugzilla
CVE-2019-3816 openwsman: Arbitrary file disclosure due to root working directory [fedora-all]2019-03-12
Bugzilla
CVE-2019-3816 openwsman: Disclosure of arbitrary files outside of the registered URIs2019-01-17
CVE-2019-3816 (HIGH CVSS 7.5) | Openwsman | cvebase.io