CVE-2008-4129

high

Description

Gallery before 1.5.9, and 2.x before 2.2.6, does not properly handle ZIP archives containing symbolic links, which allows remote authenticated users to conduct directory traversal attacks and read arbitrary files via vectors related to the archive upload (aka zip upload) functionality.

References

https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00832.html

https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00794.html

https://exchange.xforce.ibmcloud.com/vulnerabilities/45228

http://www.securityfocus.com/bid/31231

http://security.gentoo.org/glsa/glsa-200811-02.xml

http://secunia.com/advisories/33144

http://secunia.com/advisories/32662

http://secunia.com/advisories/31912

http://gallery.menalto.com/gallery_2.2.6_released

http://gallery.menalto.com/gallery_1.5.9_released

Details

Source: Mitre, NVD

Published: 2008-09-18

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 4

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 8.1

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Severity: High