Medium severity5.3NVD Advisory· Published Feb 3, 2016· Updated May 6, 2026
CVE-2015-8748
CVE-2015-8748
Description
Radicale before 1.1 allows remote authenticated users to bypass owner_write and owner_only limitations via regex metacharacters in the user name, as demonstrated by ".*".
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
RadicalePyPI | < 1.1 | 1.1 |
Affected products
1Patches
21109973a9259Merge pull request #341 from Unrud/patch-4
1 file changed · +4 −1
radicale/rights/regex.py+4 −1 modified@@ -65,7 +65,10 @@ def _read_from_sections(user, collection_url, permission): """Get regex sections.""" filename = os.path.expanduser(config.get("rights", "file")) rights_type = config.get("rights", "type").lower() - regex = ConfigParser({"login": user, "path": collection_url}) + # Prevent "regex injection" + user_escaped = re.escape(user) + collection_url_escaped = re.escape(collection_url) + regex = ConfigParser({"login": user_escaped, "path": collection_url_escaped}) if rights_type in DEFINED_RIGHTS: log.LOGGER.debug("Rights type '%s'" % rights_type) regex.readfp(StringIO(DEFINED_RIGHTS[rights_type]))
1 file changed · +4 −1
radicale/rights/regex.py+4 −1 modified@@ -65,7 +65,10 @@ def _read_from_sections(user, collection_url, permission): """Get regex sections.""" filename = os.path.expanduser(config.get("rights", "file")) rights_type = config.get("rights", "type").lower() - regex = ConfigParser({"login": user, "path": collection_url}) + # Prevent "regex injection" + user_escaped = re.escape(user) + collection_url_escaped = re.escape(collection_url) + regex = ConfigParser({"login": user_escaped, "path": collection_url_escaped}) if rights_type in DEFINED_RIGHTS: log.LOGGER.debug("Rights type '%s'" % rights_type) regex.readfp(StringIO(DEFINED_RIGHTS[rights_type]))
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
14- github.com/Kozea/Radicale/pull/341nvdPatchVendor AdvisoryWEB
- github.com/advisories/GHSA-6w8c-6jrg-qwj2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-8748ghsaADVISORY
- lists.fedoraproject.org/pipermail/package-announce/2016-January/175738.htmlnvdWEB
- lists.fedoraproject.org/pipermail/package-announce/2016-January/175776.htmlnvdWEB
- www.debian.org/security/2016/dsa-3462nvdWEB
- www.openwall.com/lists/oss-security/2016/01/05/7nvdWEB
- www.openwall.com/lists/oss-security/2016/01/06/4nvdWEB
- github.com/Kozea/Radicale/commit/1109973a925970353dfd13c6df8de0e4e446d983ghsaWEB
- github.com/Unrud/Radicale/commit/4bfe7c9f7991d534c8b9fbe153af9d341f925f98nvdWEB
- github.com/pypa/advisory-database/tree/main/vulns/radicale/PYSEC-2016-37.yamlghsaWEB
- pypi.org/project/radicaleghsaWEB
- web.archive.org/web/20200804235922/http://www.securityfocus.com/bid/80255ghsaWEB
- www.securityfocus.com/bid/80255nvd
News mentions
0No linked articles in our index yet.