WeBWorK Program Generation Language up to 2.3.0 iopl translator.pm Remote Code Execution
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.6 | $0-$5k | 0.00 |
Summary
A vulnerability was found in WeBWorK Program Generation Language up to 2.3.0. It has been rated as critical. This affects an unknown part in the library lib/webwork/pg/translator.pm of the component iopl. Performing a manipulation results in Remote Code Execution. This vulnerability is known as CVE-2006-6629. No exploit is available. Upgrading the affected component is advised.
Details
A vulnerability, which was classified as critical, was found in WeBWorK Program Generation Language up to 2.3.0. This affects an unknown function in the library lib/webwork/pg/translator.pm of the component iopl. The manipulation with an unknown input leads to a remote code execution vulnerability. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:
lib/WeBWorK/PG/Translator.pm in WeBWorK Program Generation (PG) Language before 2.3.1 uses an insufficiently restrictive regular expression to determine valid macro filenames, which allows attackers to load arbitrary macro files whose names contain the strings (1) dangerousMacros.pl, (2) PG.pl, or (3) IO.pl.
The weakness was published 12/18/2006 (Website). It is possible to read the advisory at securityfocus.com. This vulnerability is uniquely identified as CVE-2006-6629 since 12/17/2006. The exploitability is told to be easy. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Technical details of the vulnerability are known, but there is no available exploit.
It is declared as proof-of-concept.
Upgrading to version 2.3.1 eliminates this vulnerability.
The vulnerability is also documented in the vulnerability database at SecurityFocus (BID 21614†). Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Product
Vendor
Name
Version
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.3VulDB Meta Temp Score: 6.6
VulDB Base Score: 7.3
VulDB Temp Score: 6.6
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Remote Code ExecutionCWE: Unknown
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Proof-of-Concept
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: Program Generation Language 2.3.1
Timeline
12/15/2006 🔍12/17/2006 🔍
12/18/2006 🔍
12/18/2006 🔍
03/12/2015 🔍
10/03/2017 🔍
Sources
Advisory: securityfocus.com⛔Status: Not defined
Confirmation: 🔍
CVE: CVE-2006-6629 (🔍)
GCVE (CVE): GCVE-0-2006-6629
GCVE (VulDB): GCVE-100-33915
SecurityFocus: 21614 - WeBWorK Program Generation Language Macro Security Restriction Bypass Vulnerability
Vupen: ADV-2006-5026
Entry
Created: 03/12/2015 22:21Updated: 10/03/2017 12:15
Changes: 03/12/2015 22:21 (47), 10/03/2017 12:15 (6)
Complete: 🔍
Cache ID: 216::103
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.