CVE-2008-0252

Exp

Directory traversal vulnerability in the _get_file_path function in (1) lib/sessions.py in CherryPy 3.0.x up to 3.0.2, (2) filter/sessionfilter.py in CherryPy 2.1, and (3) filter/sessionfilter.py in CherryPy 2.x allows remote attackers to create or delete arbitrary files, and possibly read and write portions of arbitrary files, via a crafted session id in a cookie.

Published: 2008-01-12 Last update: 2026-04-23 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2008-0252 is rated High Exploit Risk (75.4/100): CVSS High severity, with medium exploitation likelihood (EPSS 2.92%). 4 public exploit reference(s) are indexed (Exploit-DB). Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2008-0252

EDB-ID Source Kind Published Link
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2008-0252

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-05-20 2.84% 2.92% +0.08%
2 2026-02-06 2.19% 2.84% +0.66%
3 2025-12-28 2.19%

Full EPSS history (21 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2008-0252

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.5 2.0 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:P)
Partial availability impact.
 10.0 6.4 [email protected]

Weakness enumeration for CVE-2008-0252

GitHub Security Advisory for CVE-2008-0252

GHSA-76x8-gg39-5jjg · Severity: high · Ecosystem: pip — CherryPy Malicious cookies allow access to files outside the session directory

OS Trackers for CVE-2008-0252

vendor priority summary link
debian not yet assigned CVE-2008-0252 not yet assigned priority: Debian including 1 source packages (cherrypy3), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2008-0252
gentoo normal CVE-2008-0252: 1 GLSA(s) (200801-11), 1 atom(s) (dev-python/cherrypy); latest impact normal. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2008-0252
redhat https://access.redhat.com/security/cve/CVE-2008-0252
ubuntu medium CVE-2008-0252 medium priority: Ubuntu including 2 source packages (cherrypy3, python-cherrypy), 14 status rows across 7 suites (dapper, edgy, feisty, gutsy, hardy, intrepid, upstream): not-affected 5, DNE 3, released 3, needed 2, ignored 1. https://ubuntu.com/security/CVE-2008-0252

Affected software / configurations for CVE-2008-0252

Vendor Product Version Raw CPE
cherrypy cherrypy <= 2.1.0 cpe:2.3:a:cherrypy:cherrypy:*:*:*:*:*:*:*:*
cherrypy cherrypy <= 3.0.2 cpe:2.3:a:cherrypy:cherrypy:*:*:*:*:*:*:*:*

References for CVE-2008-0252

URL Tags
http://secunia.com/advisories/28353
http://secunia.com/advisories/28354 Vendor Advisory
http://secunia.com/advisories/28611
http://secunia.com/advisories/28620
http://secunia.com/advisories/28769
http://security.gentoo.org/glsa/glsa-200801-11.xml
http://www.cherrypy.org/changeset/1774 Exploit Patch
http://www.cherrypy.org/changeset/1775 Exploit Patch
http://www.cherrypy.org/changeset/1776 Exploit
http://www.cherrypy.org/ticket/744 Exploit
http://www.debian.org/security/2008/dsa-1481
http://www.securityfocus.com/archive/1/487001/100/0/threaded
http://www.securityfocus.com/bid/27181
http://www.vupen.com/english/advisories/2008/0039
https://bugs.gentoo.org/show_bug.cgi?id=204829
https://issues.rpath.com/browse/RPL-2127
https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00240.html
https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00297.html
cvelogic Threat Intelligence