Description

A specially crafted url could be used to access files under the ROOT directory of the application on Apache JSPWiki 2.9.0 to 2.11.0.M2, which could be used by an attacker to obtain registered users' details.

Remediation

References

http://www.openwall.com/lists/oss-security/2019/03/26/2

http://www.securityfocus.com/bid/107627

https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-0225

https://lists.apache.org/thread.html/03ddbcb1d6322e04734e65805a147a32bcfdb71b8fc5821fb046ba8d%40%3Cannounce.apache.org%3E

https://lists.apache.org/thread.html/4f19fdbd8b9c4caf6137a459d723f4ec60379b033ed69277eb4e0af9%40%3Cuser.jspwiki.apache.org%3E

https://lists.apache.org/thread.html/6251c06cb11e0b495066be73856592dbd7ed712487ef283d10972831%40%3Cdev.jspwiki.apache.org%3E

https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E

https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1%40%3Ccommits.jspwiki.apache.org%3E

Related Vulnerabilities

CVE-2020-4051 Vulnerability in maven package org.webjars.bower:dijit

CVE-2023-26512 Vulnerability in maven package org.apache.eventmesh:eventmesh-connector-rabbitmq

CVE-2023-22474 Vulnerability in npm package parse-server

CVE-2021-27578 Vulnerability in maven package org.apache.zeppelin:zeppelin

CVE-2020-14966 Vulnerability in maven package org.webjars.bowergithub.kjur:jsrsasign

Severity

High

Classification

CWE-22 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Third Party Advisory VDB Entry Vendor Advisory