CVE-2017-5869

Опубликовано: 24 мар. 2017

Источник: nvd

CVSS3: 8.8

CVSS2: 6.5

EPSS Низкий

Описание

Directory traversal vulnerability in the file import feature in Nuxeo Platform 6.0, 7.1, 7.2, and 7.3 allows remote authenticated users to upload and execute arbitrary JSP code via a .. (dot dot) in the X-File-Name header.

Ссылки

http://www.openwall.com/lists/oss-security/2017/03/23/6
Exploit
Mailing List
Patch
Third Party Advisory
http://www.securityfocus.com/bid/97083
https://sysdream.com/news/lab/2017-03-23-cve-2017-5869-nuxeo-platform-remote-code-execution/
https://www.exploit-db.com/exploits/41748/
http://www.openwall.com/lists/oss-security/2017/03/23/6
Exploit
Mailing List
Patch
Third Party Advisory
http://www.securityfocus.com/bid/97083
https://sysdream.com/news/lab/2017-03-23-cve-2017-5869-nuxeo-platform-remote-code-execution/
https://www.exploit-db.com/exploits/41748/

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:nuxeo:nuxeo:6.0:*:*:*:*:*:*:*

cpe:2.3:a:nuxeo:nuxeo:7.1:*:*:*:*:*:*:*

cpe:2.3:a:nuxeo:nuxeo:7.2:*:*:*:*:*:*:*

cpe:2.3:a:nuxeo:nuxeo:7.3:*:*:*:*:*:*:*

EPSS

Процентиль: 85%

0.02599

Низкий

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-22

Связанные уязвимости

GHSA-r32w-jwh3-hc96