245622 – (CVE-2008-4920) dev-php5/agavi<=1.0.0-beta5 Directory traversal (CVE-2008-4920)

Bug 245622 (CVE-2008-4920) - dev-php5/agavi<=1.0.0-beta5 Directory traversal (CVE-2008-4920)

Summary: dev-php5/agavi<=1.0.0-beta5 Directory traversal (CVE-2008-4920)

Status:	RESOLVED INVALID

Alias:	CVE-2008-4920

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:	B4 [upstream]
Keywords:

Depends on:
Blocks:

Reported:	2008-11-05 08:26 UTC by Stefan Behte (RETIRED)
Modified:	2009-01-13 18:10 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Behte (RETIRED) gentoo-dev

2008-11-05 08:26:04 UTC

CVE-2008-4920 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4920):
  Directory traversal vulnerability in Agavi 1.0.0 beta 5 and earlier
  allows remote attackers to read arbitrary files via a .. (dot dot) in
  the cmplang parameter.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2009-01-13 18:10:58 UTC

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate was based on an incorrect claim regarding a directory issue in Agavi. The vendor has disputed the issue and the original researcher has retracted the original claim, so this is not a vulnerability. Further investigation by the vendor and original researcher show that the original issue was in a site-specific modification, which is outside the scope of CVE. Notes: CVE users should not use this identifier.