oss-sec mailing list archives
[CVE-2018-11789] Apache Incubator Heron file access vulnerability
From: Neng Lu <freeneng () gmail com>
Date: Wed, 6 Mar 2019 14:22:45 -0800
Severity: Important Vendor: The Apache Software Foundation Versions Affected: Heron 0.13.0 to 0.17.8 Description: When accessing the heron-ui webpage, people can modify the file paths outside of the current container to access any file on the host. Mitigation: All Heron users should upgrade to 0.20.0-incubating Example: modify the parameter path= to go to the directory you would like to view. i.e. ..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd Credit: This issue was discovered by Windham Wong of stormeye.io -- Best Regards, Neng
Current thread:
- [CVE-2018-11789] Apache Incubator Heron file access vulnerability Neng Lu (Mar 07)