漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng
Vulnerability Description
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the ADMIN_ONLY_CORE_OPTIONS authorization set in set_config_value() uses incorrect option names ssl_cert and ssl_key, while the actual configuration option names are ssl_certfile and ssl_keyfile. This name mismatch causes the admin-only check to always evaluate to False, allowing any user with SETTINGS permission to overwrite the SSL certificate and key file paths. Additionally, the ssl_certchain option was never added to the admin-only set at all. This vulnerability is fixed in 0.5.0b3.dev97.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Vulnerability Type
授权机制不正确
Vulnerability Title
pyLoad 安全漏洞
Vulnerability Description
pyLoad是pyLoad开源的一个用 Python 编写的免费开源下载管理器。 pyLoad 0.5.0b3.dev97之前版本存在安全漏洞,该漏洞源于set_config_value函数中的ADMIN_ONLY_CORE_OPTIONS授权集使用了错误的选项名称,导致管理员检查始终为假,可能导致具有SETTINGS权限的用户覆盖SSL证书和密钥文件路径。
CVSS Information
N/A
Vulnerability Type
N/A