|
[Japanese]
|
JVNDB-2024-000119
|
Multiple vulnerabilities in FitNesse
|
|
FitNesse provided by unclebob contains multiple vulnerabilities listed below due to responder plugin configuration.
- Cross-site scripting (CWE-79) - CVE-2024-39610
- Path traversal (CWE-22) - CVE-2024-42499
Takeshi Kaneko of GMO Cybersecurity by Ierae, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 6.1 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2024-39610
|
CVSS V3 Severity:
Base Metrics
5.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: Low
-
Integrity Impact: None
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2024-42499
|
|
|
unclebob
- FitNesse releases prior to 20241026
|
|
|
- An arbitrary script may be executed on the web browser of the user who is using the product (CVE-2024-39610)
- An attacker may be able to know whether a file exists at a specific path, and/or obtain some part of the file contents under specific conditions (CVE-2024-42499)
|
|
[Update the software]
Update the software to the latest version according to the information provided by the developer.
The developer fixed the vulnerability in the following version:
- FitNesse release 20241026
|
|
unclebob
|
|
- Path Traversal(CWE-22) [IPA Evaluation]
- Cross-site Scripting(CWE-79) [IPA Evaluation]
|
|
- CVE-2024-39610
- CVE-2024-42499
|
|
- JVN : JVN#36791327
|
|
- [2024/11/15]
Web page was published
|
