Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1mNnZmLTQ2NXItaDQycM4AAV-o

Apache OpenMeetings allows remote attackers to read arbitrary files by attempting to upload a file

The (1) FileService.importFileByInternalUserId and (2) FileService.importFile SOAP API methods in Apache OpenMeetings before 3.1.1 improperly use the Java URL class without checking the specified protocol handler, which allows remote attackers to read arbitrary files by attempting to upload a file.

Permalink: https://github.com/advisories/GHSA-f6vf-465r-h42p
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mNnZmLTQ2NXItaDQycM4AAV-o
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: 10 months ago


CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Identifiers: GHSA-f6vf-465r-h42p, CVE-2016-2164
References:

Affected Packages

maven:org.apache.openmeetings:openmeetings-parent
Versions: < 3.1.1
Fixed in: 3.1.1