製品・ソフトウェアに関する情報

JVN脆弱性詳細

html2ps におけるディレクトリトラバーサルの脆弱性

Title	html2ps におけるディレクトリトラバーサルの脆弱性
Summary	html2ps には、ディレクトリトラバーサルの脆弱性が存在します。
Possible impacts	第三者により、SSI ディレクティブの .. (ドットドット) を含む "include file" を介して、任意のファイルを読まれる可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	Oct. 10, 2012, midnight
Registration Date	Oct. 15, 2012, 3:41 p.m.
Last Update	Oct. 15, 2012, 3:41 p.m.

Affected System

html2ps Project

html2ps 1.0b6 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2009-5067	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5067
National Vulnerability Database (NVD)
2	CVE-2009-5067	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-5067

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-22	https://jvndb.jvn.jp/ja/cwe/CWE-22.html

ベンダー情報

No	Name	URL
Debian Bug report logs
1	html2ps: arbitrary file disclosure in ssi directives	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=548633
Red Hat Bugzilla
2	Bug 526513	https://bugzilla.redhat.com/show_bug.cgi?id=526513
Security Advisories
3	MDVSA-2012:161	http://www.mandriva.com/en/support/security/advisories/?name=MDVSA-2012:161

Change Log

No	Changed Details	Date of change
0	[2012年10月15日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2009-5067

Summary	Directory traversal vulnerability in html2ps before 1.0b6 allows remote attackers to read arbitrary files via a .. (dot dot) in the "include file" SSI directive. NOTE: this issue only might be a vulnerability in limited scenarios, such as if html2ps is invoked by a web application, or if a user-assisted attacker provides filenames whose contents could cause a denial of service, such as certain devices.
Publication Date	Oct. 11, 2012, 3:55 a.m.
Registration Date	Jan. 29, 2021, 1:28 p.m.
Last Update	Nov. 21, 2024, 10:11 a.m.

Affected software configurations

Related information, measures and tools

No	URL	タグ
1	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=548633
2	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=548633
3	http://packetstormsecurity.org/files/81614/html2ps-1.0-beta5-File-Disclosure.html	Exploit
4	http://packetstormsecurity.org/files/81614/html2ps-1.0-beta5-File-Disclosure.html	Exploit
5	http://user.it.uu.se/~jan/html2ps-1.0b7.tar.gz	Patch
6	http://user.it.uu.se/~jan/html2ps-1.0b7.tar.gz	Patch
7	http://www.mandriva.com/security/advisories?name=MDVSA-2012:161
8	http://www.mandriva.com/security/advisories?name=MDVSA-2012:161
9	http://www.openwall.com/lists/oss-security/2012/10/05/1
10	http://www.openwall.com/lists/oss-security/2012/10/05/1
11	http://www.openwall.com/lists/oss-security/2012/10/05/5
12	http://www.openwall.com/lists/oss-security/2012/10/05/5
13	http://www.securityfocus.com/bid/36524
14	http://www.securityfocus.com/bid/36524
15	https://bugzilla.redhat.com/show_bug.cgi?id=526513
16	https://bugzilla.redhat.com/show_bug.cgi?id=526513

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-22	パス・トラバーサル	https://cwe.mitre.org/data/definitions/22.html