Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 05 Oct 2017 08:54:30 +0000 (UTC)
From: Andrey Bazhenov <>
Subject: [CVE-2017-14614] GridGain Visor GUI Console - File System Path

Severity: Important 
 Vendor: GridGain Systems 
 Versions Affected: 
 * GridGain 8.1.4 and earlier 
 * GridGain 1.9.6 and earlier 
 * GridGain 1.8.11 and earlier 
 * GridGain 1.7.15 and earlier 
   The vulnerability impacts GridGain Visor GUI Management Console users. Visor allows open log files of remote cluster nodes and observe them locally. To get the logs a user needs to provide a path to the files. Visor does not sanitize the path provided that might result in an unauthorized access to sensitive files. 
   Visor GUI Console uses a user-supplied input to construct a pathname to a remote directory with log files. The application does not sanitize this path and malicious application users can get an access to restricted or sensitive files stored on a server’s file system. 
 Start cluster nodes under a system user that has restricted access to the file system. 
 In addition, to make the cluster more secure consider using GridGain’s Security module setting up basic authentication and authorization parameters.  
 Upgrade to the versions below to enable the path sanitization by default: 
 * GridGain 8.1.5 or later 
 * GridGain 1.9.7 or later 
 * GridGain 1.8.12 or later 
 * GridGain 1.7.16 or later 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.