You are viewing a plain text version of this content. The canonical link for it is here.

Posted to pluto-user@portals.apache.org by Martin Scott Nicklous <Sc...@de.ibm.com> on 2018/06/26 12:06:17 UTC

[ CVE-2018-1306 ] Apache Portals Pluto information disclosure vulnerability


Affected Product: Apache Pluto

Severity: Important

Vendor: The Apache Software Foundation

CVEID: CVE-2018-1306

DESCRIPTION: The PortletV3AnnotatedDemo Multipart Portlet war file code
could allow a remote attacker to obtain sensitive information, caused by
the failure to restrict path information provided during a file upload. An
attacker could exploit this vulnerability to obtain configuration data and
other sensitive information.

Versions Affected:
3.0.0

Mitigation:
* Uninstall the  PortletV3AnnotatedDemo Multipart Portlet war file
- or -
* migrate to version 3.0.1

Credit:
Che-Chun Kuo

Mit freundlichen Grüßen, / Kind regards,
Scott Nicklous

WebSphere Portal Standardization Lead & Technology Consultant
Specification Lead, JSR 362 Portlet Specification 3.0
IBM Commerce, Digital Experience Development

Phone: +49-7031-16-4808 / E-Mail:scott.nicklous@de.ibm.com /  Schoenaicher
Str. 220, 71032 Boeblingen, Germany
IBM Deutschland Research & Development GmbH / Vorsitzender des
Aufsichtsrats: Martina Koederitz / Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart,
HRB 243294