Description

An issue was discovered in XXL-CONF 1.6.0. There is a path traversal vulnerability via ../ in the keys parameter that can download any configuration file, related to ConfController.java and PropUtil.java.

Remediation

References

https://github.com/xuxueli/xxl-conf/issues/61

Related Vulnerabilities

CVE-2020-36048 Vulnerability in maven package org.webjars.npm:engine.io

CVE-2023-37952 Vulnerability in maven package com.mabl.integration.jenkins:mabl-integration

CVE-2022-43406 Vulnerability in maven package org.jenkins-ci.plugins.workflow:workflow-cps-global-lib

CVE-2022-22885 Vulnerability in maven package cn.hutool:hutool-http

CVE-2018-14042 Vulnerability in maven package org.webjars.bowergithub.twbs:bootstrap-sass

Severity

High

Classification

CWE-22 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Exploit Issue Tracking Third Party Advisory