High severityNVD Advisory· Published Jan 12, 2008· Updated Apr 23, 2026
CVE-2008-0252
CVE-2008-0252
Description
Directory traversal vulnerability in the _get_file_path function in (1) lib/sessions.py in CherryPy 3.0.x up to 3.0.2, (2) filter/sessionfilter.py in CherryPy 2.1, and (3) filter/sessionfilter.py in CherryPy 2.x allows remote attackers to create or delete arbitrary files, and possibly read and write portions of arbitrary files, via a crafted session id in a cookie.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cherrypyPyPI | < 2.1.1 | 2.1.1 |
cherrypyPyPI | >= 3.0, < 3.0.2 | 3.0.2 |
Affected products
1Patches
137b856eba6f23.0.x fix for #744 (Malicious cookies may allow access to files outside the session directory).
1 file changed · +4 −1
cherrypy/lib/sessions.py+4 −1 modified@@ -260,7 +260,10 @@ def setup(self): os.path.abspath(self.storage_path))) def _get_file_path(self): - return os.path.join(self.storage_path, self.SESSION_PREFIX + self.id) + f = os.path.join(self.storage_path, self.SESSION_PREFIX + self.id) + if not os.path.normpath(f).startswith(self.storage_path): + raise cherrypy.HTTPError(400, "Invalid session id in cookie.") + return f def _load(self, path=None): if path is None:
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
29- www.cherrypy.org/changeset/1774nvdExploitPatchWEB
- www.cherrypy.org/changeset/1775nvdExploitPatchWEB
- www.cherrypy.org/changeset/1776nvdExploitWEB
- www.cherrypy.org/ticket/744nvdExploitWEB
- secunia.com/advisories/28354nvdVendor Advisory
- github.com/advisories/GHSA-76x8-gg39-5jjgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2008-0252ghsaADVISORY
- security.gentoo.org/glsa/glsa-200801-11.xmlnvdWEB
- www.debian.org/security/2008/dsa-1481nvdWEB
- bugs.gentoo.org/show_bug.cginvdWEB
- github.com/cherrypy/cherrypy/commit/37b856eba6f207231c691dae2e5b24e072f86664ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/cherrypy/PYSEC-2008-3.yamlghsaWEB
- issues.rpath.com/browse/RPL-2127nvdWEB
- web.archive.org/web/20080129011723/http://secunia.com/advisories/28354ghsaWEB
- web.archive.org/web/20080312130713/http://secunia.com/advisories/28353ghsaWEB
- web.archive.org/web/20080328003510/http://secunia.com/advisories/28611ghsaWEB
- web.archive.org/web/20100122080212/http://www.vupen.com/english/advisories/2008/0039ghsaWEB
- web.archive.org/web/20110513223620/http://secunia.com/advisories/28769ghsaWEB
- web.archive.org/web/20111224161644/http://secunia.com/advisories/28620ghsaWEB
- web.archive.org/web/20151108024505/http://www.securityfocus.com/bid/27181ghsaWEB
- www.redhat.com/archives/fedora-package-announce/2008-January/msg00240.htmlnvdWEB
- www.redhat.com/archives/fedora-package-announce/2008-January/msg00297.htmlnvdWEB
- secunia.com/advisories/28353nvd
- secunia.com/advisories/28611nvd
- secunia.com/advisories/28620nvd
- secunia.com/advisories/28769nvd
- www.securityfocus.com/archive/1/487001/100/0/threadednvd
- www.securityfocus.com/bid/27181nvd
- www.vupen.com/english/advisories/2008/0039nvd
News mentions
0No linked articles in our index yet.