CVE-2014-8114 – org.uberfire:uberfire-parent

Package

Manager: maven
Name: org.uberfire:uberfire-parent
Vulnerable Version: >=0.3.0.beta5 <=0.3.1.final

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.01771 pctl0.81945

Details

UberFire Framework Improperly Restricts Paths The UberFire Framework 0.3.x does not properly restrict paths, which allows remote attackers to (1) execute arbitrary code by uploading crafted content to FileUploadServlet or (2) read arbitrary files via vectors involving FileDownloadServlet.

Metadata

Created: 2022-05-14T01:10:41Z
Modified: 2023-08-16T22:23:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-6h58-c7r7-g2hw/GHSA-6h58-c7r7-g2hw.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-6h58-c7r7-g2hw
Finding: F063
Auto approve: 1