[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] [ CVE-2018-1306 ] Apache Portals Pluto information disclosure vulnerability
From: "Martin Scott Nicklous" <Scott.Nicklous () de ! ibm ! com>
Date: 2018-06-26 12:06:17
Message-ID: OF86D0194F.A1B3DF32-ONC12582B8.003C8D37-C12582B8.00427E73 () notes ! na ! collabserv ! com
[Download RAW message or body]
Affected Product: Apache Pluto
Severity: Important
Vendor: The Apache Software Foundation
CVEID: CVE-2018-1306
DESCRIPTION: The PortletV3AnnotatedDemo Multipart Portlet war file code
could allow a remote attacker to obtain sensitive information, caused by
the failure to restrict path information provided during a file upload. An
attacker could exploit this vulnerability to obtain configuration data and
other sensitive information.
Versions Affected:
3.0.0
Mitigation:
* Uninstall the PortletV3AnnotatedDemo Multipart Portlet war file
- or -
* migrate to version 3.0.1
Credit:
Che-Chun Kuo
Mit freundlichen Gr=FC=DFen, / Kind regards,
Scott Nicklous
WebSphere Portal Standardization Lead & Technology Consultant
Specification Lead, JSR 362 Portlet Specification 3.0
IBM Commerce, Digital Experience Development
Phone: +49-7031-16-4808 / E-Mail:scott.nicklous@de.ibm.com / Schoenaicher
Str. 220, 71032 Boeblingen, Germany
IBM Deutschland Research & Development GmbH / Vorsitzender des
Aufsichtsrats: Martina Koederitz / Gesch=E4ftsf=FChrung: Dirk Wittkopp
Sitz der Gesellschaft: B=F6blingen / Registergericht: Amtsgericht Stuttgart,
HRB 243294
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic