Description

A specially crafted url could be used to access files under the ROOT directory of the application on Apache JSPWiki 2.9.0 to 2.11.0.M2, which could be used by an attacker to obtain registered users' details.

Remediation

References

http://www.openwall.com/lists/oss-security/2019/03/26/2

http://www.securityfocus.com/bid/107627

https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-0225

https://lists.apache.org/thread.html/03ddbcb1d6322e04734e65805a147a32bcfdb71b8fc5821fb046ba8d%40%3Cannounce.apache.org%3E

https://lists.apache.org/thread.html/4f19fdbd8b9c4caf6137a459d723f4ec60379b033ed69277eb4e0af9%40%3Cuser.jspwiki.apache.org%3E

https://lists.apache.org/thread.html/6251c06cb11e0b495066be73856592dbd7ed712487ef283d10972831%40%3Cdev.jspwiki.apache.org%3E

https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E

https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1%40%3Ccommits.jspwiki.apache.org%3E

Related Vulnerabilities

CVE-2020-36629 Vulnerability in npm package httpster

CVE-2022-2421 Vulnerability in maven package org.webjars.npm:socket.io-parser

CVE-2021-29479 Vulnerability in maven package io.ratpack:ratpack-core

CVE-2022-26183 Vulnerability in npm package pnpm

CVE-2022-46363 Vulnerability in maven package org.apache.cxf:cxf-rt-transports-http

Severity

High

Classification

CWE-22 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Third Party Advisory VDB Entry Vendor Advisory