PublicDateAtUSN: 2020-12-07 20:15:00 UTC
Candidate: CVE-2020-29600
PublicDate: 2020-12-07 20:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29600
 https://ubuntu.com/security/notices/USN-4953-1
Description:
 In AWStats through 7.7, cgi-bin/awstats.pl?config= accepts an absolute
 pathname, even though it was intended to only read a file in the
 /etc/awstats/awstats.conf format. NOTE: this issue exists because of an
 incomplete fix for CVE-2017-1000501.
Ubuntu-Description:
Notes:
 mdeslaur> fix is incomplete, see CVE-2020-35176
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891469
 https://github.com/eldy/awstats/issues/90
Priority: low
Discovered-by: Sean Boran
Assigned-to: avital
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_awstats:
 upstream: https://github.com/eldy/awstats/commit/d4d815d0caae3dbae83ac70a1ae4581bd57cf376
upstream_awstats: released (7.8-1)
precise/esm_awstats: DNE
trusty_awstats: ignored (out of standard support)
trusty/esm_awstats: DNE
xenial_awstats: ignored (end of standard support, was needed)
esm-infra/xenial_awstats: released (7.4+dfsg-1ubuntu0.4+esm1)
bionic_awstats: released (7.6+dfsg-2ubuntu0.18.04.1)
focal_awstats: released (7.6+dfsg-2ubuntu0.20.04.1)
groovy_awstats: released (7.6+dfsg-2ubuntu0.20.10.1)
hirsute_awstats: not-affected (7.8-1)
impish_awstats: not-affected (7.8-1)
jammy_awstats: not-affected (7.8-1)
devel_awstats: not-affected (7.8-1)