oss-sec mailing list archives
[ CVE-2018-1306 ] Apache Portals Pluto information disclosure vulnerability
From: "Martin Scott Nicklous" <Scott.Nicklous () de ibm com>
Date: Tue, 26 Jun 2018 14:06:17 +0200
Affected Product: Apache Pluto Severity: Important Vendor: The Apache Software Foundation CVEID: CVE-2018-1306 DESCRIPTION: The PortletV3AnnotatedDemo Multipart Portlet war file code could allow a remote attacker to obtain sensitive information, caused by the failure to restrict path information provided during a file upload. An attacker could exploit this vulnerability to obtain configuration data and other sensitive information. Versions Affected: 3.0.0 Mitigation: * Uninstall the PortletV3AnnotatedDemo Multipart Portlet war file - or - * migrate to version 3.0.1 Credit: Che-Chun Kuo Mit freundlichen Grüßen, / Kind regards, Scott Nicklous WebSphere Portal Standardization Lead & Technology Consultant Specification Lead, JSR 362 Portlet Specification 3.0 IBM Commerce, Digital Experience Development Phone: +49-7031-16-4808 / E-Mail:scott.nicklous () de ibm com / Schoenaicher Str. 220, 71032 Boeblingen, Germany IBM Deutschland Research & Development GmbH / Vorsitzender des Aufsichtsrats: Martina Koederitz / Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 243294
Current thread:
- [ CVE-2018-1306 ] Apache Portals Pluto information disclosure vulnerability Martin Scott Nicklous (Jun 26)