CVE-2017-1000501

Published: 03 January 2018

Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the "config" and "migrate" parameters resulting in unauthenticated remote code execution.

Priority

CVSS 3 base score: 9.8

Status

Package	Release	Status
awstats Launchpad, Ubuntu, Debian	Upstream	Needs triage





	Ubuntu 16.04 ESM (Xenial Xerus)	Released (7.4+dfsg-1ubuntu0.2)
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist (trusty was released [7.2+dfsg-1ubuntu0.1])
	Patches: Upstream: https://github.com/eldy/awstats/commit/cf219843a74c951bf5986f3a7fffa3dcf99c3899 Upstream: https://github.com/eldy/awstats/commit/06c0ab29c1e5059d9e0279c6b64d573d619e1651

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000501
https://ubuntu.com/security/notices/USN-3518-1
NVD
Launchpad
Debian

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885835

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›