Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mNnZmLTQ2NXItaDQycM4AAV-o
Apache OpenMeetings allows remote attackers to read arbitrary files by attempting to upload a file
The (1) FileService.importFileByInternalUserId and (2) FileService.importFile SOAP API methods in Apache OpenMeetings before 3.1.1 improperly use the Java URL class without checking the specified protocol handler, which allows remote attackers to read arbitrary files by attempting to upload a file.
Permalink: https://github.com/advisories/GHSA-f6vf-465r-h42pJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mNnZmLTQ2NXItaDQycM4AAV-o
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: 4 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-f6vf-465r-h42p, CVE-2016-2164
References:
- https://nvd.nist.gov/vuln/detail/CVE-2016-2164
- https://www.apache.org/dist/openmeetings/3.1.1/CHANGELOG
- http://openmeetings.apache.org/security.html
- http://packetstormsecurity.com/files/136434/Apache-OpenMeetings-3.0.7-Arbitary-File-Read.html
- https://github.com/advisories/GHSA-f6vf-465r-h42p
Affected Packages
maven:org.apache.openmeetings:openmeetings-parent
Versions: < 3.1.1Fixed in: 3.1.1