Candidate: CVE-2017-9031
PublicDate: 2017-05-17 19:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9031
 http://dev.deluge-torrent.org/wiki/ReleaseNotes/1.3.15
 https://bugs.debian.org/862611
Description:
 The WebUI component in Deluge before 1.3.15 contains a directory traversal
 vulnerability involving a request in which the name of the render file is
 not associated with any template file.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862611
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]

Patches_deluge:
 upstream: http://git.deluge-torrent.org/deluge/commit/?h=1.3-stable&id=41acade01ae88f7b7bbdba308a0886771aa582fd
upstream_deluge: released (1.3.13+git20161130.48cedf63-3, 1.3.15)
precise/esm_deluge: DNE
trusty_deluge: ignored (reached end-of-life)
trusty/esm_deluge: DNE (trusty was needed)
vivid/stable-phone-overlay_deluge: DNE
vivid/ubuntu-core_deluge: DNE
xenial_deluge: ignored (end of standard support, was needed)
yakkety_deluge: ignored (reached end-of-life)
zesty_deluge: ignored (reached end-of-life)
artful_deluge: ignored (reached end-of-life)
bionic_deluge: not-affected (1.3.15-2)
cosmic_deluge: not-affected (1.3.15-2)
disco_deluge: not-affected (1.3.15-2)
eoan_deluge: not-affected (1.3.15-2)
focal_deluge: not-affected (1.3.15-2)
groovy_deluge: not-affected (1.3.15-2)
hirsute_deluge: not-affected (1.3.15-2)
impish_deluge: not-affected (1.3.15-2)
jammy_deluge: not-affected (1.3.15-2)
devel_deluge: not-affected (1.3.15-2)