CVE-2016-2164 – org.apache.openmeetings:openmeetings-parent

Package

Manager: maven
Name: org.apache.openmeetings:openmeetings-parent
Vulnerable Version: >=0 <3.1.1

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.01232 pctl0.78417

Details

Apache OpenMeetings allows remote attackers to read arbitrary files by attempting to upload a file The (1) FileService.importFileByInternalUserId and (2) FileService.importFile SOAP API methods in Apache OpenMeetings before 3.1.1 improperly use the Java URL class without checking the specified protocol handler, which allows remote attackers to read arbitrary files by attempting to upload a file.

Metadata

Created: 2022-05-14T02:46:39Z
Modified: 2022-11-22T18:57:05Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-f6vf-465r-h42p/GHSA-f6vf-465r-h42p.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-f6vf-465r-h42p
Finding: F038
Auto approve: 1