You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-user@portals.apache.org by David S Taylor <da...@bluesunrise.com> on 2016/03/03 22:16:00 UTC
[CVE-2016-0709] Apache Jetspeed information disclosure vulnerability
CVE-2016-0709: Code execution via ZIP file path traversal
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Jetspeed 2.2.0 to 2.2.2
Jetspeed 2.3.0
The unsupported Jetspeed 2.1.x versions may be also affected
Description:
The Import/Export function in the Portal Site Manager, part of the Jetspeed Administrative Portlets, is vulnerable to a path traversal via specially crafted file names in ZIP archives. Any user with permission to upload files via this function can upload a file with a name like "../../../../tmp/foo" to write a file named "foo" in the /tmp directory. This is because the code that performs the unzipping of the archive does not check the validity of the file names before writing them to disk. This can be turned into code execution by uploading a .jsp file and writing it to somewhere on the file system where the web server will execute it when visited
Mitigation:
2.2.0 - 2.3.0 users should upgrade to 2.3.1
Credit:
This issue was discovered by Andreas Lindh
References:
http://tomcat.apache.org/security.html <http://tomcat.apache.org/security.html>