Description
A specially crafted url could be used to access files under the ROOT directory of the application on Apache JSPWiki 2.9.0 to 2.11.0.M2, which could be used by an attacker to obtain registered users' details.
Remediation
References
http://www.openwall.com/lists/oss-security/2019/03/26/2
http://www.securityfocus.com/bid/107627
https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-0225
https://lists.apache.org/thread.html/03ddbcb1d6322e04734e65805a147a32bcfdb71b8fc5821fb046ba8d%40%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/4f19fdbd8b9c4caf6137a459d723f4ec60379b033ed69277eb4e0af9%40%3Cuser.jspwiki.apache.org%3E
https://lists.apache.org/thread.html/6251c06cb11e0b495066be73856592dbd7ed712487ef283d10972831%40%3Cdev.jspwiki.apache.org%3E
https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E
https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1%40%3Ccommits.jspwiki.apache.org%3E
Related Vulnerabilities
CVE-2021-21169 Vulnerability in npm package electron
CVE-2021-23574 Vulnerability in npm package js-data
CVE-2018-1000632 Vulnerability in maven package dom4j:dom4j
CVE-2020-2202 Vulnerability in maven package org.jenkins-ci.plugins:fortify-on-demand-uploader
CVE-2021-21429 Vulnerability in maven package org.openapitools:openapi-generator-maven-plugin