CVE-2019-16114

In ATutor 2.2.4, an unauthenticated attacker can change the application settings and force it to use his crafted database, which allows him to gain access to the application. Next, he can change the directory that the application uploads files to, which allows him to achieve remote code execution. This occurs because install/include/header.php does not restrict certain changes (to db_host, db_login, db_password, and content_dir) within install/include/step5.php.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/MostafaSoliman/Security-Advisories/blob/master/CVE-2019-16114/README.md	Exploit Third Party Advisory
https://github.com/atutor/ATutor/commits/master	Patch

Configurations

Configuration 1 (hide)

cpe:2.3:a:atutor:atutor:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2019-09-09 13:15

Updated : 2023-12-10 12:59

NVD link : CVE-2019-16114

Mitre link : CVE-2019-16114

CVE.ORG link : CVE-2019-16114

JSON object : View

Products Affected

atutor

atutor

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2019-16114", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2019-09-09T13:15:11.777", "references": [{"url": "https://github.com/MostafaSoliman/Security-Advisories/blob/master/CVE-2019-16114/README.md", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/atutor/ATutor/commits/master", "tags": ["Patch"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "In ATutor 2.2.4, an unauthenticated attacker can change the application settings and force it to use his crafted database, which allows him to gain access to the application. Next, he can change the directory that the application uploads files to, which allows him to achieve remote code execution. This occurs because install/include/header.php does not restrict certain changes (to db_host, db_login, db_password, and content_dir) within install/include/step5.php."}, {"lang": "es", "value": "En ATutor versiones 2.2.4, un atacante no autenticado puede cambiar la configuraci\u00f3n de la aplicaci\u00f3n y forzarla a utilizar su base de datos dise\u00f1ada, lo que le permite conseguir acceso a la aplicaci\u00f3n. Y a continuaci\u00f3n, puede cambiar el directorio en el cual la aplicaci\u00f3n carga los archivos, que le permite alcanzar la ejecuci\u00f3n de c\u00f3digo remota. Esto ocurre porque el archivo install/include/header.php no restringe ciertos cambios (en db_host, db_login, db_password y content_dir) dentro del archivo install/include/step5.php."}], "lastModified": "2020-08-24T17:37:01.140", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:atutor:atutor:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7DAE444F-3475-41BE-AB95-1EDBA4B9604F", "versionEndIncluding": "2.2.4"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}