// For flags

CVE-2019-7305

eXtplorer exposes /usr and /etc/extplorer over HTTP

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Information Exposure vulnerability in eXtplorer makes the /usr/ and /etc/extplorer/ system directories world-accessible over HTTP. Introduced in the Makefile patch file debian/patches/debian-changes-2.1.0b6+dfsg-1 or debian/patches/adds-a-makefile.patch, this can lead to data leakage, information disclosure and potentially remote code execution on the web server. This issue affects all versions of eXtplorer in Ubuntu and Debian

La vulnerabilidad de exposición a la información en eXtplorer hace que los directorios del sistema /usr/ y /etc/extplorer/ sean de tipo world-accessible a través de HTTP. Introducido en el archivo de parche Makefile debian/patches/debian-changes-2.1.0b6+dfsg-1 o debian/patches/adds-a-makefile.patch, esto puede conllevar a un filtrado de datos, una divulgación de información y potencialmente una ejecución de código remota en el Servidor web. Este problema afecta a todas las versiones de eXtplorer en Ubuntu y Debian.

*Credits: Sander Bos
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-02-01 CVE Reserved
  • 2020-04-09 CVE Published
  • 2024-02-08 EPSS Updated
  • 2024-09-17 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
  • CWE-552: Files or Directories Accessible to External Parties
CAPEC
References (1)
URL Tag Source
https://launchpad.net/bugs/1822013 Issue Tracking
URL Date SRC
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Extplorer
Search vendor "Extplorer"
 Extplorer
Search vendor "Extplorer" for product "Extplorer"
 <= 2.1.0
Search vendor "Extplorer" for product "Extplorer" and version " <= 2.1.0"
-
Affected
in Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
--
Safe
Extplorer
Search vendor "Extplorer"
 Extplorer
Search vendor "Extplorer" for product "Extplorer"
 <= 2.1.0
Search vendor "Extplorer" for product "Extplorer" and version " <= 2.1.0"
-
Affected
in Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
--
Safe