Bug 1179986 (CVE-2020-35176) - [network:utilities] CVE-2020-35176: awstats: cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this i
Summary: [network:utilities] CVE-2020-35176: awstats: cgi-bin/awstats.pl?config= accep...
Status: RESOLVED INVALID
Alias: CVE-2020-35176
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Minor
Target Milestone: ---
Assignee: Andrew Daugherity
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/273273/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-12-14 06:37 UTC by Marcus Meissner
Modified: 2024-07-22 18:23 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2020-12-14 06:37:46 UTC 
CVE-2020-35176

In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute
pathname (omitting the initial /etc), even though it was intended to only read a
file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of
an incomplete fix for CVE-2017-1000501 and CVE-2020-29600.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-35176
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35176
https://github.com/eldy/awstats/issues/195
Comment 1 Andrew Daugherity 2024-07-22 18:23:00 UTC 
The OBS package has not been vulnerable since 2018-03-06.

See also:
boo#1179750
https://build.opensuse.org/request/show/583146
https://build.opensuse.org/request/show/909838