CVE-2008-4129: Path Traversal
First published: Thu Sep 18 2008(Updated: )
Gallery before 1.5.9, and 2.x before 2.2.6, does not properly handle ZIP archives containing symbolic links, which allows remote authenticated users to conduct directory traversal attacks and read arbitrary files via vectors related to the archive upload (aka zip upload) functionality.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| NotFound Gallery | =2.2.0 | |
| NotFound Gallery | =2.2.3 | |
| NotFound Gallery | =2.2.2 | |
| NotFound Gallery | =2.2.4 | |
| NotFound Gallery | <=2.2.5 | |
| NotFound Gallery | =2.2.1 | |
| NotFound Gallery | <=1.5.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securityfocus.com/bid/31231
- http://gallery.menalto.com/gallery_1.5.9_released
- http://gallery.menalto.com/gallery_2.2.6_released
- http://security.gentoo.org/glsa/glsa-200811-02.xml
- http://secunia.com/advisories/32662
- https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00832.html
- https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00794.html
- http://secunia.com/advisories/33144
- http://secunia.com/advisories/31912
- https://exchange.xforce.ibmcloud.com/vulnerabilities/45228
Frequently Asked Questions
What is the severity of CVE-2008-4129?
CVE-2008-4129 has a medium severity rating due to its potential for directory traversal attacks.
How do I fix CVE-2008-4129?
To fix CVE-2008-4129, upgrade to Gallery version 1.5.9 or 2.2.6 or later.
What types of attacks can CVE-2008-4129 enable?
CVE-2008-4129 can enable remote authenticated users to read arbitrary files on the server.
Which versions of Gallery are affected by CVE-2008-4129?
Gallery versions before 1.5.9 and versions 2.x before 2.2.6 are affected by CVE-2008-4129.
Is CVE-2008-4129 exploitable by unauthenticated users?
CVE-2008-4129 is not directly exploitable by unauthenticated users; it requires authentication.
- agent/references
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/weakness
- agent/description
- agent/author
- agent/event
- agent/remedy
- agent/source
- agent/tags
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/gallery
- canonical/notfound gallery
- version/notfound gallery/2.2.0
- version/notfound gallery/2.2.3
- version/notfound gallery/2.2.2
- version/notfound gallery/2.2.4
- version/notfound gallery/2.2.5
- version/notfound gallery/2.2.1
- version/notfound gallery/1.5.8