Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1mNnZmLTQ2NXItaDQycM4AAV-o

Apache OpenMeetings allows remote attackers to read arbitrary files by attempting to upload a file

The (1) FileService.importFileByInternalUserId and (2) FileService.importFile SOAP API methods in Apache OpenMeetings before 3.1.1 improperly use the Java URL class without checking the specified protocol handler, which allows remote attackers to read arbitrary files by attempting to upload a file.

Permalink: https://github.com/advisories/GHSA-f6vf-465r-h42p
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mNnZmLTQ2NXItaDQycM4AAV-o
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: over 1 year ago


CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Identifiers: GHSA-f6vf-465r-h42p, CVE-2016-2164
References: Blast Radius: 0.0

Affected Packages

maven:org.apache.openmeetings:openmeetings-parent
Dependent packages: 0
Dependent repositories: 1
Downloads:
Affected Version Ranges: < 3.1.1
Fixed in: 3.1.1
All affected versions:
All unaffected versions: 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 4.0.0, 4.0.1, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.9, 4.0.10, 4.0.11, 5.0.0, 5.1.0, 6.2.0, 6.3.0, 7.0.0, 7.2.0