Advisories for Pypi/Radicale package

2022

Radicale vulnerable to arbitrary file read or write

The multifilesystem storage backend in Radicale before 1.1 allows remote attackers to read or write to arbitrary files via a crafted component name.

Radicale regex metacharacters injection in the user name

Radicale before 1.1 allows remote authenticated users to bypass owner_write and owner_only limitations via regex metacharacters in the user name, as demonstrated by .*.

Radicale is vulnerable to timing oracles and simple bruteforce attacks

Radicale before 1.1.2 and 2.0.0rc1 is prone to timing oracles and simple brute-force attacks when using the htpasswd authentication method.

2016

Path Traversal

The filesystem storage backend in Radicale on Windows allows remote attackers to read or write to arbitrary files via a crafted path.