{"id":"CVE-2019-15032","details":"Pydio 6.0.8 mishandles error reporting when a directory allows unauthenticated uploads, and the remote-upload option is used with the http://localhost:22 URL. The attacker can obtain sensitive information such as the name of the user who created that directory and other internal server information.","modified":"2026-04-10T04:12:27.483599Z","published":"2019-09-19T17:15:12.393Z","references":[{"type":"WEB","url":"https://pydio.com"},{"type":"ADVISORY","url":"https://sourceforge.net/projects/ajaxplorer/files/pydio/stable-channel/"},{"type":"EVIDENCE","url":"https://heitorgouvea.me/2019/09/17/CVE-2019-15032"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pydio/pydio-core","events":[{"introduced":"0"},{"last_affected":"2dc263a711352a491b3d2d66a01537d6a7975425"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"6.0.8"}]}}],"versions":["ajaxplorer-core-4.3.1","ajaxplorer-core-4.3.2","ajaxplorer-core-4.3.3","ajaxplorer-core-4.3.4","ajaxplorer-core-5.0.0","ajaxplorer-core-5.0.1","ajaxplorer-core-5.0.2","pydio-core-5.1.0","pydio-core-5.1.1","pydio-core-5.2.0","pydio-core-5.2.1","pydio-core-5.2.2","pydio-core-5.2.3","pydio-core-5.2.4","pydio-core-5.2.5","pydio-core-6.0.0","pydio-core-6.0.1","pydio-core-6.0.2","pydio-core-6.0.3","pydio-core-6.0.4","pydio-core-6.0.5","pydio-core-6.0.6","pydio-core-6.0.7","pydio-core-6.0.8"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-15032.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}