Description
A specially crafted url could be used to access files under the ROOT directory of the application on Apache JSPWiki 2.9.0 to 2.11.0.M2, which could be used by an attacker to obtain registered users' details.
Remediation
References
http://www.openwall.com/lists/oss-security/2019/03/26/2
http://www.securityfocus.com/bid/107627
https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-0225
https://lists.apache.org/thread.html/03ddbcb1d6322e04734e65805a147a32bcfdb71b8fc5821fb046ba8d%40%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/4f19fdbd8b9c4caf6137a459d723f4ec60379b033ed69277eb4e0af9%40%3Cuser.jspwiki.apache.org%3E
https://lists.apache.org/thread.html/6251c06cb11e0b495066be73856592dbd7ed712487ef283d10972831%40%3Cdev.jspwiki.apache.org%3E
https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E
https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1%40%3Ccommits.jspwiki.apache.org%3E
Related Vulnerabilities
CVE-2020-8840 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind
CVE-2021-46062 Vulnerability in maven package net.mingsoft:ms-mcms
CVE-2020-2196 Vulnerability in maven package org.jenkins-ci.plugins:selenium
CVE-2022-34305 Vulnerability in maven package org.apache.tomcat:tomcat
CVE-2021-45046 Vulnerability in maven package org.apache.logging.log4j:log4j-core