PublicDateAtUSN: 2019-12-31 18:15:00 UTC
Candidate: CVE-2019-14466
PublicDate: 2019-12-31 18:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14466
 https://github.com/gosa-project/gosa-core/commit/e1504e9765db2adde8b4685b5c93fbba57df868b (fix)
 https://github.com/gosa-project/gosa-core/commit/90b674960335d888c76ca5e99027df8e7fa66f3a (fixing the prev commit)
 https://github.com/gosa-project/gosa-core/pull/30#issuecomment-521975100
 https://ubuntu.com/security/notices/USN-4609-1
Description:
 The GOsa_Filter_Settings cookie in GONICUS GOsa 2.7.5.2 is vulnerable to
 PHP objection injection, which allows a remote authenticated attacker to
 perform file deletions (in the context of the user account that runs the
 web server) via a crafted cookie value, because unserialize is used to
 restore filter settings from a cookie.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N [6.5 MEDIUM]


Patches_gosa:
upstream_gosa: released (2.7.4+reloaded3-10)
precise/esm_gosa: DNE
trusty_gosa: ignored (out of standard support)
trusty/esm_gosa: DNE
xenial_gosa: released (2.7.4+reloaded2-9ubuntu1.1)
bionic_gosa: needed
disco_gosa: ignored (reached end-of-life)
eoan_gosa: not-affected (2.7.4+reloaded3-10)
focal_gosa: not-affected (2.7.4+reloaded3-10)
groovy_gosa: not-affected (2.7.4+reloaded3-10)
hirsute_gosa: not-affected (2.7.4+reloaded3-10)
impish_gosa: not-affected (2.7.4+reloaded3-10)
jammy_gosa: not-affected (2.7.4+reloaded3-10)
devel_gosa: not-affected (2.7.4+reloaded3-10)