Vulnerability Description
An issue was discovered in GCDWebServer before 3.5.3. The method moveItem in the GCDWebUploader class checks the FileExtension of newAbsolutePath but not oldAbsolutePath. By leveraging this vulnerability, an adversary can make an inaccessible file be available (the credential of the app, for instance).
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gcdwebserver Project | Gcdwebserver | < 3.5.3 |
Related Weaknesses (CWE)
References
- https://github.com/swisspol/GCDWebServer/commit/02738433bf2e1b820ef48f04edd15df3PatchThird Party Advisory
- https://github.com/swisspol/GCDWebServer/compare/3.5.2...3.5.3PatchThird Party Advisory
- https://github.com/swisspol/GCDWebServer/issues/433Third Party Advisory
- https://github.com/swisspol/GCDWebServer/commit/02738433bf2e1b820ef48f04edd15df3PatchThird Party Advisory
- https://github.com/swisspol/GCDWebServer/compare/3.5.2...3.5.3PatchThird Party Advisory
- https://github.com/swisspol/GCDWebServer/issues/433Third Party Advisory
FAQ
What is CVE-2019-14924?
CVE-2019-14924 is a vulnerability with a CVSS score of 7.5 (HIGH). An issue was discovered in GCDWebServer before 3.5.3. The method moveItem in the GCDWebUploader class checks the FileExtension of newAbsolutePath but not oldAbsolutePath. By leveraging this vulnerabil...
How severe is CVE-2019-14924?
CVE-2019-14924 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-14924?
Check the references section above for vendor advisories and patch information. Affected products include: Gcdwebserver Project Gcdwebserver.