Fluid Attacks Database

Description

In AWStats through 7.7, cgi-bin/awstats.pl?config= accepts an absolute pathname, even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	awstats	>=0 <7.8-1	7.8-1
alpine v3.10	awstats	=6.95-r0 \|\| =7.0-r0 \|\| =7.1-r0 \|\| =7.1.1-r0 \|\| =7.2-r0 \|\| =7.2-r1 \|\| =7.3-r0 \|\| =7.4-r0 \|\| =7.5-r0 \|\| =7.5-r1 \|\| =7.6-r0 \|\| =7.6-r1 \|\| =7.6-r2 \|\| =7.7-r0 \|\| >=0 <7.8-r0	7.8-r0
alpine v3.11	awstats	=6.95-r0 \|\| =7.0-r0 \|\| =7.1-r0 \|\| =7.1.1-r0 \|\| =7.2-r0 \|\| =7.2-r1 \|\| =7.3-r0 \|\| =7.4-r0 \|\| =7.5-r0 \|\| =7.5-r1 \|\| =7.6-r0 \|\| =7.6-r1 \|\| =7.6-r2 \|\| =7.7-r0 \|\| >=0 <7.8-r0	7.8-r0
debian 14	awstats	>=0 <7.8-1	7.8-1
debian 12	awstats	>=0 <7.8-1	7.8-1
debian 13	awstats	>=0 <7.8-1	7.8-1

Aliases

1. CVE-2020-296002. NVD-2020-296003. OSV-DEBIAN-2020-296004. OSV-2020-296005. OSV-ALPINE-2020-296006. SECURITY-TRACKER-CVE-2020-296007. SECURITY-CVE-2020-29600

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.