FreeBSD : h2o -- directory traversal vulnerability (31ea7f73-5c55-11e5-8607-74d02b9a84d5)

Medium Nessus Plugin ID 85965


The remote FreeBSD host is missing a security-related update.


Yakuzo reports :

H2O (up to version 1.4.4 / 1.5.0-beta1) contains a flaw in its URL normalization logic.

When file.dir directive is used, this flaw allows a remote attacker to retrieve arbitrary files that exist outside the directory specified by the directive.

H2O version 1.4.5 and version 1.5.0-beta2 have been released to address this vulnerability.

Users are advised to upgrade their servers immediately.

The vulnerability was reported by: Yusuke OSUMI.


Update the affected package.

See Also

Plugin Details

Severity: Medium

ID: 85965

File Name: freebsd_pkg_31ea7f735c5511e5860774d02b9a84d5.nasl

Version: $Revision: 1.2 $

Type: local

Published: 2015/09/17

Modified: 2015/09/24

Dependencies: 12634

Risk Information

Risk Factor: Medium


Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:h2o, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2015/09/16

Vulnerability Publication Date: 2015/09/14

Reference Information

CVE: CVE-2015-5638