In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501 and CVE-2020-29600. Reference: https://github.com/eldy/awstats/issues/195
Created awstats tracking bugs for this issue: Affects: epel-all [bug 1911646] Affects: fedora-all [bug 1911645]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
FEDORA-2020-d1aa0e030c has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2020-4cba5f2846 has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-EPEL-2020-d4406c9c75 has been pushed to the Fedora EPEL 8 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-EPEL-2020-ab8d229496 has been pushed to the Fedora EPEL 7 stable repository. If problem still persists, please make note of it in this bug report.