CVE-2019-16409

{"id": "CVE-2019-16409", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2019-09-26T16:15:11.267", "references": [{"url": "https://github.com/silverstripe/silverstripe-framework", "tags": ["Product", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/symbiote/silverstripe-versionedfiles", "tags": ["Product", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.silverstripe.org/download/security-releases/cve-2019-16409", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Versioned Files module through 2.0.3 for SilverStripe 3.x, unpublished versions of files are publicly exposed to anyone who can guess their URL. This guess could be highly informed by a basic understanding of the symbiote/silverstripe-versionedfiles source code. (Users who upgrade from SilverStripe 3.x to 4.x and had Versioned Files installed have no further need for this module, because the 4.x release has built-in versioning. However, nothing in the upgrade process automates the destruction of these insecure artefacts, nor alerts the user to the criticality of destruction.)"}, {"lang": "es", "value": "En el m\u00f3dulo Versioned Files versiones hasta 2.0.3 para SilverStripe versiones 3.x, las versiones no publicadas de archivos se exponen p\u00fablicamente a cualquiera que pueda adivinar su URL. Esta suposici\u00f3n podr\u00eda estar altamente informada para una comprensi\u00f3n b\u00e1sica del c\u00f3digo fuente de symbiote/silverstripe-versionedfiles. (Los usuarios que actualizan SilverStripe versiones 3.x hasta 4.x y ten\u00edan instalado Versioned Files ya no necesitan este m\u00f3dulo, porque la versi\u00f3n 4.x posee versiones integradas. Sin embargo, nada en el proceso de actualizaci\u00f3n automatiza la destrucci\u00f3n de estos artefactos no seguros, ni alerta al usuario sobre la importancia de su destrucci\u00f3n)."}], "lastModified": "2021-07-21T11:39:23.747", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:silverstripe:silverstripe:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4E58CB97-D94C-41B1-BD35-101853DF1D5E", "versionEndIncluding": "3.7.4", "versionStartIncluding": "3.0.0"}, {"criteria": "cpe:2.3:a:symbiote:versionedfiles:*:*:*:*:*:silverstripe:*:*", "vulnerable": true, "matchCriteriaId": "2243C113-7430-45F8-B641-A4A937594787", "versionEndIncluding": "2.0.3"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}