Your submission was sent successfully! Close


Published: 02 February 2014

Absolute path traversal vulnerability in cantata before 1.2.2 allows local users to read arbitrary files via a full pathname in a request to the internal httpd server. NOTE: this vulnerability can be leveraged by remote attackers using CVE-2013-7301.

From the Ubuntu security team

Automatically started HTTP server listens on all interfaces and will serve any file that the user running the HTTP server has access to, including e.g. ssh private keys.




Package Release Status
Launchpad, Ubuntu, Debian
Upstream Pending
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected [1.1.3-0ubuntu1~ubuntu13.11])