Description

A specially crafted url could be used to access files under the ROOT directory of the application on Apache JSPWiki 2.9.0 to 2.11.0.M2, which could be used by an attacker to obtain registered users' details.

Remediation

References

http://www.openwall.com/lists/oss-security/2019/03/26/2

http://www.securityfocus.com/bid/107627

https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-0225

https://lists.apache.org/thread.html/03ddbcb1d6322e04734e65805a147a32bcfdb71b8fc5821fb046ba8d%40%3Cannounce.apache.org%3E

https://lists.apache.org/thread.html/4f19fdbd8b9c4caf6137a459d723f4ec60379b033ed69277eb4e0af9%40%3Cuser.jspwiki.apache.org%3E

https://lists.apache.org/thread.html/6251c06cb11e0b495066be73856592dbd7ed712487ef283d10972831%40%3Cdev.jspwiki.apache.org%3E

https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E

https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1%40%3Ccommits.jspwiki.apache.org%3E

Related Vulnerabilities

CVE-2022-26049 Vulnerability in maven package com.diffplug.gradle:goomph

CVE-2022-36090 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore

CVE-2021-38153 Vulnerability in maven package org.apache.kafka:kafka-clients

CVE-2021-25912 Vulnerability in npm package dotty

CVE-2018-20676 Vulnerability in maven package org.fujion.webjars:bootstrap

Severity

High

Classification

CWE-22 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Third Party Advisory VDB Entry Vendor Advisory