Vulnerability Description
In the Versioned Files module through 2.0.3 for SilverStripe 3.x, unpublished versions of files are publicly exposed to anyone who can guess their URL. This guess could be highly informed by a basic understanding of the symbiote/silverstripe-versionedfiles source code. (Users who upgrade from SilverStripe 3.x to 4.x and had Versioned Files installed have no further need for this module, because the 4.x release has built-in versioning. However, nothing in the upgrade process automates the destruction of these insecure artefacts, nor alerts the user to the criticality of destruction.)
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Silverstripe | Silverstripe | >= 3.0.0, <= 3.7.4 |
| Symbiote | Versionedfiles | <= 2.0.3 |
References
- https://github.com/silverstripe/silverstripe-frameworkProductThird Party Advisory
- https://github.com/symbiote/silverstripe-versionedfilesProductThird Party Advisory
- https://www.silverstripe.org/download/security-releases/cve-2019-16409Vendor Advisory
- https://github.com/silverstripe/silverstripe-frameworkProductThird Party Advisory
- https://github.com/symbiote/silverstripe-versionedfilesProductThird Party Advisory
- https://www.silverstripe.org/download/security-releases/cve-2019-16409Vendor Advisory
FAQ
What is CVE-2019-16409?
CVE-2019-16409 is a vulnerability with a CVSS score of 5.3 (MEDIUM). In the Versioned Files module through 2.0.3 for SilverStripe 3.x, unpublished versions of files are publicly exposed to anyone who can guess their URL. This guess could be highly informed by a basic u...
How severe is CVE-2019-16409?
CVE-2019-16409 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-16409?
Check the references section above for vendor advisories and patch information. Affected products include: Silverstripe Silverstripe, Symbiote Versionedfiles.