{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2008-09-18T00:00:00", "descriptions": [{"lang": "en", "value": "Gallery before 1.5.9, and 2.x before 2.2.6, does not properly handle ZIP archives containing symbolic links, which allows remote authenticated users to conduct directory traversal attacks and read arbitrary files via vectors related to the archive upload (aka zip upload) functionality."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-07T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "GLSA-200811-02", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "http://security.gentoo.org/glsa/glsa-200811-02.xml"}, {"name": "33144", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/33144"}, {"name": "gallery-ziparchives-information-disclosure(45228)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45228"}, {"name": "31912", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/31912"}, {"name": "32662", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/32662"}, {"name": "FEDORA-2008-11258", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00832.html"}, {"name": "31231", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/31231"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://gallery.menalto.com/gallery_2.2.6_released"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://gallery.menalto.com/gallery_1.5.9_released"}, {"name": "FEDORA-2008-11230", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00794.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2008-4129", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Gallery before 1.5.9, and 2.x before 2.2.6, does not properly handle ZIP archives containing symbolic links, which allows remote authenticated users to conduct directory traversal attacks and read arbitrary files via vectors related to the archive upload (aka zip upload) functionality."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "GLSA-200811-02", "refsource": "GENTOO", "url": "http://security.gentoo.org/glsa/glsa-200811-02.xml"}, {"name": "33144", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/33144"}, {"name": "gallery-ziparchives-information-disclosure(45228)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45228"}, {"name": "31912", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/31912"}, {"name": "32662", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/32662"}, {"name": "FEDORA-2008-11258", "refsource": "FEDORA", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00832.html"}, {"name": "31231", "refsource": "BID", "url": "http://www.securityfocus.com/bid/31231"}, {"name": "http://gallery.menalto.com/gallery_2.2.6_released", "refsource": "CONFIRM", "url": "http://gallery.menalto.com/gallery_2.2.6_released"}, {"name": "http://gallery.menalto.com/gallery_1.5.9_released", "refsource": "CONFIRM", "url": "http://gallery.menalto.com/gallery_1.5.9_released"}, {"name": "FEDORA-2008-11230", "refsource": "FEDORA", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00794.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T10:08:34.912Z"}, "title": "CVE Program Container", "references": [{"name": "GLSA-200811-02", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "http://security.gentoo.org/glsa/glsa-200811-02.xml"}, {"name": "33144", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/33144"}, {"name": "gallery-ziparchives-information-disclosure(45228)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45228"}, {"name": "31912", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/31912"}, {"name": "32662", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/32662"}, {"name": "FEDORA-2008-11258", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00832.html"}, {"name": "31231", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/31231"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://gallery.menalto.com/gallery_2.2.6_released"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://gallery.menalto.com/gallery_1.5.9_released"}, {"name": "FEDORA-2008-11230", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00794.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2008-4129", "datePublished": "2008-09-18T20:00:00", "dateReserved": "2008-09-18T00:00:00", "dateUpdated": "2024-08-07T10:08:34.912Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gallery:gallery:*:*:*:*:*:*:*:*", "matchCriteriaId": "F63EDF9A-1818-41D4-96EF-DFF61994C27F", "versionEndIncluding": "2.2.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:gallery:gallery:2.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "CAD2DDED-A01D-4026-B8C3-0DA916466D1C", "vulnerable": true}, {"criteria": "cpe:2.3:a:gallery:gallery:2.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "D400C30B-BD93-4419-BEC2-24A470F5E473", "vulnerable": true}, {"criteria": "cpe:2.3:a:gallery:gallery:2.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "8180C4E9-EFC9-438C-AAAF-B09B838CA17E", "vulnerable": true}, {"criteria": "cpe:2.3:a:gallery:gallery:2.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "B2ED9F1B-D3BD-42BA-8300-6A719A577F7F", "vulnerable": true}, {"criteria": "cpe:2.3:a:gallery:gallery:2.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "3A821D29-75FA-4A6D-BE1A-D11906FA188D", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gallery:gallery:*:*:*:*:*:*:*:*", "matchCriteriaId": "B2630CD9-31D8-4E24-B518-03D94B3383B9", "versionEndIncluding": "1.5.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Gallery before 1.5.9, and 2.x before 2.2.6, does not properly handle ZIP archives containing symbolic links, which allows remote authenticated users to conduct directory traversal attacks and read arbitrary files via vectors related to the archive upload (aka zip upload) functionality."}, {"lang": "es", "value": "Gallery, versiones anteriores a 1.5.9, y 2.x y versiones anteriores a 2.2.6, no trata adecuadamente archivos ZIP que contienen enlaces simb\u00f3licos, el cual permite a los usuarios remotos autentificados manejar los ataques de salto de directorio y leer archivos arbitrariamente a trav\u00e9s de vectores relativos a el fichero cargado funcionalmente (alias zip cargado)."}], "id": "CVE-2008-4129", "lastModified": "2025-04-09T00:30:58.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2008-09-18T20:00:00.577", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://gallery.menalto.com/gallery_1.5.9_released"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://gallery.menalto.com/gallery_2.2.6_released"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/31912"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/32662"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/33144"}, {"source": "cve@mitre.org", "url": "http://security.gentoo.org/glsa/glsa-200811-02.xml"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://www.securityfocus.com/bid/31231"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45228"}, {"source": "cve@mitre.org", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00794.html"}, {"source": "cve@mitre.org", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00832.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://gallery.menalto.com/gallery_1.5.9_released"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://gallery.menalto.com/gallery_2.2.6_released"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/31912"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/32662"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/33144"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://security.gentoo.org/glsa/glsa-200811-02.xml"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://www.securityfocus.com/bid/31231"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45228"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00794.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00832.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "gallery2 arbitrary file disclosure", "id": "462883", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=462883"}, "csaw": false, "details": ["Gallery before 1.5.9, and 2.x before 2.2.6, does not properly handle ZIP archives containing symbolic links, which allows remote authenticated users to conduct directory traversal attacks and read arbitrary files via vectors related to the archive upload (aka zip upload) functionality."], "name": "CVE-2008-4129", "public_date": "2008-09-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2008-4129"], "threat_severity": "Moderate"}