Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 26 Jun 2018 14:06:17 +0200
From: "Martin Scott Nicklous" <Scott.Nicklous@...ibm.com>
To: oss-security@...ts.openwall.com,
        "Apache Security Team"
 <security@...che.org>,
        "Portals PMC"
 <private@...tals.apache.org>,
        pluto-dev@...tals.apache.org, pluto-user@...tals.apache.org,
        Jackson
 <kuojackson17@...il.com>
Subject: [ CVE-2018-1306 ] Apache Portals Pluto information disclosure vulnerability



Affected Product: Apache Pluto

Severity: Important

Vendor: The Apache Software Foundation

CVEID: CVE-2018-1306

DESCRIPTION: The PortletV3AnnotatedDemo Multipart Portlet war file code
could allow a remote attacker to obtain sensitive information, caused by
the failure to restrict path information provided during a file upload. An
attacker could exploit this vulnerability to obtain configuration data and
other sensitive information.

Versions Affected:
3.0.0

Mitigation:
* Uninstall the  PortletV3AnnotatedDemo Multipart Portlet war file
- or -
* migrate to version 3.0.1

Credit:
Che-Chun Kuo

Mit freundlichen Grüßen, / Kind regards,
Scott Nicklous

WebSphere Portal Standardization Lead & Technology Consultant
Specification Lead, JSR 362 Portlet Specification 3.0
IBM Commerce, Digital Experience Development

Phone: +49-7031-16-4808 / E-Mail:scott.nicklous@...ibm.com /  Schoenaicher
Str. 220, 71032 Boeblingen, Germany
IBM Deutschland Research & Development GmbH / Vorsitzender des
Aufsichtsrats: Martina Koederitz / Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart,
HRB 243294

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ