[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] [CVE-2018-11789] Apache Incubator Heron file access vulnerability
From: Neng Lu <freeneng () gmail ! com>
Date: 2019-03-06 22:22:45
Message-ID: CANwEksUQ7BUBm4gfK3Dew-_Mm1-nO=Dh4u1wwvZ7CV8VwP=Zvg () mail ! gmail ! com
[Download RAW message or body]
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Heron 0.13.0 to 0.17.8
Description:
When accessing the heron-ui webpage, people can modify the file paths
outside of the current container to access any file on the host.
Mitigation:
All Heron users should upgrade to 0.20.0-incubating
Example:
modify the parameter path= to go to the directory you would like to view.
i.e. ..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
Credit:
This issue was discovered by Windham Wong of stormeye.io
--
Best Regards,
Neng
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic