CVE-2002-0196 - Vulnerability Details - OpenCVE

GetRelativePath in ACD Incorporated CwpAPI 1.1 only verifies if the server root is somewhere within the path, which could allow remote attackers to read or write files outside of the web root, in other directories whose path includes the web root.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Acd Incorporated	Cwpapi

Configuration 1 [-]

cpe:2.3:a:acd_incorporated:cwpapi:1.1:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://online.securityfocus.com/archive/1/251699
http://sourceforge.net/forum/forum.php?forum_id=144966
http://www.iss.net/security_center/static/7981.php
http://www.securityfocus.com/bid/3924

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2002-06-25T04:00:00

Updated: 2024-08-08T02:42:28.488Z

Reserved: 2002-05-01T00:00:00

Link: CVE-2002-0196

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2002-05-16T04:00:00.000

Modified: 2025-04-03T01:03:51.193

Link: CVE-2002-0196

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2002-01-22T00:00:00", "descriptions": [{"lang": "en", "value": "GetRelativePath in ACD Incorporated CwpAPI 1.1 only verifies if the server root is somewhere within the path, which could allow remote attackers to read or write files outside of the web root, in other directories whose path includes the web root."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2007-02-07T00:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "3924", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/3924"}, {"name": "cwpapi-getrelativepath-view-files(7981)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "http://www.iss.net/security_center/static/7981.php"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://sourceforge.net/forum/forum.php?forum_id=144966"}, {"name": "20020122 (Repost) CwpApi : GetRelativePath() returns invalid paths (security advisory)", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://online.securityfocus.com/archive/1/251699"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2002-0196", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "GetRelativePath in ACD Incorporated CwpAPI 1.1 only verifies if the server root is somewhere within the path, which could allow remote attackers to read or write files outside of the web root, in other directories whose path includes the web root."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "3924", "refsource": "BID", "url": "http://www.securityfocus.com/bid/3924"}, {"name": "cwpapi-getrelativepath-view-files(7981)", "refsource": "XF", "url": "http://www.iss.net/security_center/static/7981.php"}, {"name": "http://sourceforge.net/forum/forum.php?forum_id=144966", "refsource": "CONFIRM", "url": "http://sourceforge.net/forum/forum.php?forum_id=144966"}, {"name": "20020122 (Repost) CwpApi : GetRelativePath() returns invalid paths (security advisory)", "refsource": "BUGTRAQ", "url": "http://online.securityfocus.com/archive/1/251699"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-08T02:42:28.488Z"}, "title": "CVE Program Container", "references": [{"name": "3924", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/3924"}, {"name": "cwpapi-getrelativepath-view-files(7981)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "http://www.iss.net/security_center/static/7981.php"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://sourceforge.net/forum/forum.php?forum_id=144966"}, {"name": "20020122 (Repost) CwpApi : GetRelativePath() returns invalid paths (security advisory)", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://online.securityfocus.com/archive/1/251699"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2002-0196", "datePublished": "2002-06-25T04:00:00", "dateReserved": "2002-05-01T00:00:00", "dateUpdated": "2024-08-08T02:42:28.488Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:acd_incorporated:cwpapi:1.1:*:*:*:*:*:*:*", "matchCriteriaId": "3FF5F0FC-785B-41DA-B640-62A52509E26F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GetRelativePath in ACD Incorporated CwpAPI 1.1 only verifies if the server root is somewhere within the path, which could allow remote attackers to read or write files outside of the web root, in other directories whose path includes the web root."}, {"lang": "es", "value": "GetRelativePath en ACD Incorporated CwAPI 1.1 solo verifica si la ra\u00edz del servidor est\u00e1 dentro de la ruta (path) lo que podr\u00eda permitir a atacantes remotos leer o escribir ficheros fuera de la ra\u00edz del web, en otros directorios cuya ruta incluye la ra\u00edz del web."}], "id": "CVE-2002-0196", "lastModified": "2025-04-03T01:03:51.193", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2002-05-16T04:00:00.000", "references": [{"source": "cve@mitre.org", "url": "http://online.securityfocus.com/archive/1/251699"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://sourceforge.net/forum/forum.php?forum_id=144966"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.iss.net/security_center/static/7981.php"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/3924"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://online.securityfocus.com/archive/1/251699"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://sourceforge.net/forum/forum.php?forum_id=144966"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.iss.net/security_center/static/7981.php"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/3924"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}