Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1oNGM5LXJyNW0tMzJmbc4AAyfx

RuoYi vulnerable to arbitrary file download

An arbitrary file download vulnerability in the background management module of RuoYi v4.7.6 and below allows attackers to download arbitrary files in the server.

Permalink: https://github.com/advisories/GHSA-h4c9-rr5m-32fm
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oNGM5LXJyNW0tMzJmbc4AAyfx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: about 1 year ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Identifiers: GHSA-h4c9-rr5m-32fm, CVE-2023-27025
References:

https://nvd.nist.gov/vuln/detail/CVE-2023-27025
https://gitee.com/y_project/RuoYi/commit/432d5ce1be2e9384a6230d7ccd8401eef5ce02b0
https://gitee.com/y_project/RuoYi/issues/I697Q5
https://github.com/advisories/GHSA-h4c9-rr5m-32fm

Blast Radius: 1.0

Affected Packages

maven:com.ruoyi:ruoyi

Affected Version Ranges: < 4.7.6
Fixed in: 4.7.6