CVE-2018-20437

Опубликовано: 25 дек. 2018

Источник: nvd

CVSS3: 7.5

CVSS2: 5

EPSS Низкий

Описание

An issue was discovered in the fileDownload function in the CommonController class in FEBS-Shiro before 2018-11-05. An attacker can download a file via a request of the form /common/download?filename=1.jsp&delete=false. NOTE: the software maintainer disputes the significance of this report because the product uses a JAR archive for deployment, and this contains application.yml with configuration data

Ссылки

https://github.com/wuyouzhuguli/FEBS-Shiro/commit/9a753215b0969a5d5b5bfe8c68585339fee96260
Patch
Third Party Advisory
https://github.com/wuyouzhuguli/FEBS-Shiro/commit/a9706b1b3c96bacece24886429b4423c3a467acd
Patch
Third Party Advisory
https://github.com/wuyouzhuguli/FEBS-Shiro/issues/40
Exploit
Third Party Advisory
https://github.com/wuyouzhuguli/FEBS-Shiro/commit/9a753215b0969a5d5b5bfe8c68585339fee96260
Patch
Third Party Advisory
https://github.com/wuyouzhuguli/FEBS-Shiro/commit/a9706b1b3c96bacece24886429b4423c3a467acd
Patch
Third Party Advisory
https://github.com/wuyouzhuguli/FEBS-Shiro/issues/40
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:mrbird:febs-shiro:*:*:*:*:*:*:*:*

Версия до 2018.11.05 (исключая)

EPSS

Процентиль: 65%

0.00502

Низкий

7.5 High

CVSS3

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-22

Связанные уязвимости

GHSA-fg3g-4m62-q7pr

CVSS3: 7.5

github

больше 3 лет назад

** DISPUTED ** An issue was discovered in the fileDownload function in the CommonController class in FEBS-Shiro before 2018-11-05. An attacker can download a file via a request of the form /common/download?filename=1.jsp&delete=false. NOTE: the software maintainer disputes the significance of this report because the product uses a JAR archive for deployment, and this contains application.yml with configuration data.

EPSS

Процентиль: 65%

0.00502

Низкий

7.5 High

CVSS3

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-22