Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE request: Cantata vulnerability
From: cve-assign () mitre org
Date: Mon, 20 Jan 2014 11:05:44 -0500 (EST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

https://code.google.com/p/cantata/issues/detail?id=356

Use CVE-2013-7300 for the lack of restrictions on the set of files
available through the web server, i.e., an absolute path traversal
vulnerability.

Use CVE-2013-7301 for the default configuration in which the external
network interface is used with no access control for reading queued
music files.

These could have been fixed independently. For example, fixing only
CVE-2013-7300 means that a remote attacker could read "private" song
data (but that might be irrelevant in some situations on a network
within a home). Fixing only CVE-2013-7301 means that local users could
read arbitrary files (but that might be irrelevant on a single-user
system).

The other issues mentioned in id=356 are probably best considered
suggestions for security improvement (e.g., availability of an HTTP
service in fewer circumstances, defaulting to the lo interface, better
access control, additional build options, etc.).

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJS3UglAAoJEKllVAevmvmslR4IALRpqiR6R6K8mUuqeEDhnzKV
TY4cY6E5sRbpM4jCLKKSlTX6eLFuOEP0yXJfnyAr5opGTslmecfCTVuvTxa9u7E5
KHviH9Qlinzt31BnxNvXJPntIRHr87YVPYPvHNeBMVcVyl3Z9tRMBngGn7pXfPh3
3ILDISHeKtbGrSO/7PycIxqEJuNgaU0sckcp2NGYkMDNF6fjLdKak+nGHSA8tvML
ssvGayQ2EUcfSEWUdltDR8omDcTKEAR8w86Bpu1usf0mOczh15bn9rJNb/BjLQIH
Wx2EyVeuDVrOftmdK4IzqchfrEsvKmJOKA8ZiyG1XY9n7n7T8iKjjeCvHwOQM6o=
=Arrv
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault