Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLThqMzktZmdmcC12eGg4
XXL-CONF Path Traversal vulnerability
An issue was discovered in XXL-CONF 1.6.0. There is a path traversal vulnerability via ../ in the keys parameter that can download any configuration file, related to ConfController.java and PropUtil.java.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLThqMzktZmdmcC12eGg4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 6 years ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-8j39-fgfp-vxh8, CVE-2018-20094
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-20094
- https://github.com/xuxueli/xxl-conf/issues/61
- https://github.com/xuxueli/xxl-conf/blob/6726dfe7979ea6d8fb983771471cde69789de632/xxl-conf-admin/src/main/java/com/xxl/conf/admin/controller/ConfController.java
- https://github.com/advisories/GHSA-8j39-fgfp-vxh8
Blast Radius: 1.0
Affected Packages
maven:com.xuxueli:xxl-conf-admin
Affected Version Ranges: <= 1.6.0No known fixed version