Race condition in radicale

#VU39097 Race condition in radicale

Published: 2017-04-30 | Updated: 2020-08-08

Vulnerability identifier: #VU39097

Vulnerability risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-8342

CWE-ID: CWE-362

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
radicale
Other software / Other software solutions

Vendor: radicale.org

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Radicale before 1.1.2 and 2.x before 2.0.0rc2 is prone to timing oracles and simple brute-force attacks when using the htpasswd authentication method.

Mitigation
Install update from vendor's website.

Vulnerable software versions

radicale: 2.0.0

External links
http://bugs.debian.org/861514
http://github.com/Kozea/Radicale/blob/1.1.2/NEWS.rst
http://github.com/Kozea/Radicale/commit/059ba8dec1f22ccbeab837e288b3833a099cee2d
http://github.com/Kozea/Radicale/commit/190b1dd795f0c552a4992445a231da760211183b
http://lists.debian.org/debian-lts-announce/2020/04/msg00019.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Race condition in radicale