Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2013-7300

Published: 2 February 2014

Absolute path traversal vulnerability in cantata before 1.2.2 allows local users to read arbitrary files via a full pathname in a request to the internal httpd server. NOTE: this vulnerability can be leveraged by remote attackers using CVE-2013-7301.

From the Ubuntu Security Team

Automatically started HTTP server listens on all interfaces and will serve any file that the user running the HTTP server has access to, including e.g. ssh private keys.

Notes

AuthorNote
sbeattie 
according to debian bug, 1.1.3 is not vulnerable to this issue

Priority

Medium

Status

Package Release Status
cantata
Launchpad, Ubuntu, Debian 		lucid Does not exist

precise Does not exist

quantal Does not exist

raring Ignored
(end of life)
saucy Ignored
(end of life)
trusty Does not exist
(trusty was not-affected [1.1.3-0ubuntu1~ubuntu13.11])
upstream Pending
(1.2.2)

References

Bugs

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading