[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] [ CVE-2018-1306 ] Apache Portals Pluto information disclosure vulnerability
From:       "Martin Scott Nicklous" <Scott.Nicklous () de ! ibm ! com>
Date:       2018-06-26 12:06:17
Message-ID: OF86D0194F.A1B3DF32-ONC12582B8.003C8D37-C12582B8.00427E73 () notes ! na ! collabserv ! com
[Download RAW message or body]


Affected Product: Apache Pluto

Severity: Important

Vendor: The Apache Software Foundation

CVEID: CVE-2018-1306

DESCRIPTION: The PortletV3AnnotatedDemo Multipart Portlet war file code
could allow a remote attacker to obtain sensitive information, caused by
the failure to restrict path information provided during a file upload. An
attacker could exploit this vulnerability to obtain configuration data and
other sensitive information.

Versions Affected:
3.0.0

Mitigation:
* Uninstall the  PortletV3AnnotatedDemo Multipart Portlet war file
- or -
* migrate to version 3.0.1

Credit:
Che-Chun Kuo

Mit freundlichen Gr=FC=DFen, / Kind regards,
Scott Nicklous

WebSphere Portal Standardization Lead & Technology Consultant
Specification Lead, JSR 362 Portlet Specification 3.0
IBM Commerce, Digital Experience Development

Phone: +49-7031-16-4808 / E-Mail:scott.nicklous@de.ibm.com /  Schoenaicher
Str. 220, 71032 Boeblingen, Germany
IBM Deutschland Research & Development GmbH / Vorsitzender des
Aufsichtsrats: Martina Koederitz / Gesch=E4ftsf=FChrung: Dirk Wittkopp
Sitz der Gesellschaft: B=F6blingen / Registergericht: Amtsgericht Stuttgart,
HRB 243294


[prev in list] [next in list] [prev in thread] [next in thread]