CVE-2019-13343
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2019-13343
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-13343.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2019-13343
- Published
- 2019-10-02T16:15:14.227Z
- Modified
- 2025-11-14T09:10:41.848022Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Butor Portal before 1.0.27 is affected by a Path Traversal vulnerability leading to a pre-authentication arbitrary file download. Effectively, a remote anonymous user can download any file on servers running Butor Portal. WhiteLabelingServlet is responsible for this vulnerability. It does not properly sanitize user input on the theme t parameter before reusing it in a path. This path is then used without validation to fetch a file and return its raw content to the user via the /wl?t=../../...&h= substring followed by a filename.
- References
-
- https://bitbucket.org/account/user/butor-team/projects/PROJ
- https://bitbucket.org/butor-team/portal/commits/all
- https://bitbucket.org/butor-team/portal/commits/cd7055d33e194fcf530100ee1d8d13aa9cde230b
- https://bitbucket.org/butor-team/portal/src/cd7055d33e194fcf530100ee1d8d13aa9cde230b/src/main/java/com/butor/portal/web/servlet/WhiteLabelingServlet.java?at=master
- https://www.gosecure.net/blog/2019/09/30/butor-portal-arbitrary-file-download-vulnerability-cve-2019-13343
Affected packages
Git / bitbucket.org/butor-team/portal
Affected ranges
- Type
- GIT
- Repo
- https://bitbucket.org/butor-team/portal
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedcd7055d33e194fcf530100ee1d8d13aa9cde230b
Affected versions
v1.*
v1.0.12
v1.0.13
v1.0.14
v1.0.15
v1.0.16
v1.0.17
v1.0.18
v1.0.19
v1.0.20
v1.0.21
v1.0.22
v1.0.23
v1.0.24
v1.0.25
v1.0.3
v1.0.5
v1.0.6
v1.0.7
v1.0.9
Database specific
vanir_signatures
[
{
"digest": {
"line_hashes": [
"258212608843229262247361505895702871892",
"178147678383434021193724111240360665528",
"298303949428613447334701423945072506860",
"230145181926896130479237155499623611097",
"218106648773736913122202914461757495194",
"157252327876678578555298930454655562804",
"315154663657932694346084968733643448105",
"137450595319267565534451463980117174848"
],
"threshold": 0.9
},
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "src/main/java/com/butor/portal/web/servlet/WhiteLabelingServlet.java"
},
"id": "CVE-2019-13343-3002fc52",
"source": "https://bitbucket.org/butor-team/portal@cd7055d33e194fcf530100ee1d8d13aa9cde230b"
},
{
"digest": {
"function_hash": "274076426177737951096722083256556587546",
"length": 2604.0
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "src/main/java/com/butor/portal/web/servlet/WhiteLabelingServlet.java",
"function": "service"
},
"id": "CVE-2019-13343-5450f3f6",
"source": "https://bitbucket.org/butor-team/portal@cd7055d33e194fcf530100ee1d8d13aa9cde230b"
}
]