Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2018-11798

Опубликовано: 05 окт. 2018
Источник: redhat
CVSS3: 7.5

Описание

The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the set webservers docroot path.

A flaw was found in the Node.js static web server in Apache Thrift, where it allowed a remote user to access files outside of the set web servers' docroot path. An attacker could use this flaw to possibly access unauthorized files and sensitive information.

Отчет

OpenStack and OpenDaylight: The Java implementation of thrift is used in OpenDaylight by parts of the vpnservice functionality. This flaw refers to the JavaScript (node.js) server for Thrift, which is not used or shipped with OpenDaylight or any other part of Red Hat OpenStack Platform.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat JBoss Fuse Service Works 6thriftOut of support scope
Red Hat JBoss Operations Network 3libthriftWill not fix
Red Hat OpenShift Application RuntimeslibthriftAffected
Red Hat OpenShift Container Platform 3.10thriftNot affected
Red Hat OpenShift Container Platform 3.11thriftNot affected
Red Hat OpenShift Container Platform 3.4thriftNot affected
Red Hat OpenShift Container Platform 3.5thriftNot affected
Red Hat OpenShift Container Platform 3.6thriftNot affected
Red Hat OpenShift Container Platform 3.7thriftNot affected
Red Hat OpenShift Container Platform 3.9thriftNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-284->CWE-22
https://bugzilla.redhat.com/show_bug.cgi?id=1667188thrift: Improper Access Control grants access to files outside the webservers docroot path

7.5 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2018-11798

CVSS3: 6.5
ubuntu
около 7 лет назад

The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the set webservers docroot path.

nvd логотип

CVE-2018-11798

CVSS3: 6.5
nvd
около 7 лет назад

The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the set webservers docroot path.

debian логотип

CVE-2018-11798

CVSS3: 6.5
debian
около 7 лет назад

The Apache Thrift Node.js static web server in versions 0.9.2 through ...

github логотип

GHSA-vx85-mj8c-4qm6

CVSS3: 6.5
github
около 7 лет назад

Apache Thrift Node.js static web server sandbox escape

fstec логотип

BDU:2019-04290

CVSS3: 6.5
fstec
больше 7 лет назад

Уязвимость библиотеки Node.js языка описания интерфейсов Apache Thrift, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

7.5 High

CVSS3