You are viewing a plain text version of this content. The canonical link for it is here.
Posted to pluto-dev@portals.apache.org by Martin Scott Nicklous <Sc...@de.ibm.com> on 2018/06/26 12:06:17 UTC
[ CVE-2018-1306 ] Apache Portals Pluto information disclosure vulnerability
Affected Product: Apache Pluto
Severity: Important
Vendor: The Apache Software Foundation
CVEID: CVE-2018-1306
DESCRIPTION: The PortletV3AnnotatedDemo Multipart Portlet war file code
could allow a remote attacker to obtain sensitive information, caused by
the failure to restrict path information provided during a file upload. An
attacker could exploit this vulnerability to obtain configuration data and
other sensitive information.
Versions Affected:
3.0.0
Mitigation:
* Uninstall the PortletV3AnnotatedDemo Multipart Portlet war file
- or -
* migrate to version 3.0.1
Credit:
Che-Chun Kuo
Mit freundlichen Grüßen, / Kind regards,
Scott Nicklous
WebSphere Portal Standardization Lead & Technology Consultant
Specification Lead, JSR 362 Portlet Specification 3.0
IBM Commerce, Digital Experience Development
Phone: +49-7031-16-4808 / E-Mail:scott.nicklous@de.ibm.com / Schoenaicher
Str. 220, 71032 Boeblingen, Germany
IBM Deutschland Research & Development GmbH / Vorsitzender des
Aufsichtsrats: Martina Koederitz / Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart,
HRB 243294