Pen 0.18.0 Temp File webfile.html privilege escalation

A vulnerability, which was classified as critical, was found in Pen 0.18.0. Affected is an unknown functionality of the file webfile.html of the component Temp File Handler. The manipulation with an unknown input leads to a privilege escalation vulnerability (Symlink). CWE is classifying the issue as CWE-269. This is going to have an impact on confidentiality, integrity, and availability.

The bug was discovered 03/13/2014. The weakness was disclosed 12/13/2019 by Steve Kemp. This vulnerability is traded as CVE-2014-2387 since 03/13/2014. Technical details are known, but there is no available exploit.

The vulnerability was handled as a non-public zero-day exploit for at least 2101 days. During that time the estimated underground price was around $0-$5k.

Applying a patch is able to eliminate this problem.

The vulnerability is also documented in the vulnerability database at SecurityFocus (BID 66214).

Name

VulDB Meta Base Score: 5.5
VulDB Meta Temp Score: 5.3

VulDB Base Score: ≈5.5
VulDB Temp Score: ≈5.3
VulDB Vector: 🔒
VulDB Reliability: 🔍

VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Class: Privilege escalation / Symlink (CWE-269)
Local: Yes
Remote: No

Availability: 🔒
Status: Not defined

Price Prediction: 🔍
Current Price Estimation: 🔒

Threat Intelligenceinfoedit

Threat: 🔍
Adversaries: 🔍
Geopolitics: 🔍
Economy: 🔍
Predictions: 🔍
Remediation: 🔍Recommended: Patch
Status: 🔍

0-Day Time: 🔒

03/13/2014 Vulnerability found
03/13/2014 +0 days CVE assigned
03/13/2014 +0 days SecurityFocus entry assigned
12/13/2019 +2101 days Advisory disclosed
12/14/2019 +1 days VulDB entry created
12/14/2019 +0 days VulDB last updateResearcher: Steve Kemp

CVE: CVE-2014-2387 (🔒)
SecurityFocus: 66214 - Pen 'penctl.cgi' Multiple Insecure Temporary File Creation Vulnerabilities
OSVDB: 104469

Created: 12/14/2019 08:18 AM
Complete: 🔍

Comments are closed.