CVE-2020-29600

Published: 07 December 2020

In AWStats through 7.7, cgi-bin/awstats.pl?config= accepts an absolute pathname, even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501.

Priority

Low

CVSS 3 base score: 9.8

Status

Package Release Status
awstats
Launchpad, Ubuntu, Debian
Upstream
Released (7.8-1)
Ubuntu 21.10 (Impish Indri) Not vulnerable
(7.8-1)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(7.8-1)
Ubuntu 20.04 LTS (Focal Fossa)
Released (7.6+dfsg-2ubuntu0.20.04.1)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (7.6+dfsg-2ubuntu0.18.04.1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (7.4+dfsg-1ubuntu0.4+esm1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/eldy/awstats/commit/d4d815d0caae3dbae83ac70a1ae4581bd57cf376