CVE-2016-2164

HIGH7.5EPSS 1.2%

Apache OpenMeetings allows remote attackers to read arbitrary files by attempting to upload a file

發布日:2022/5/14修改日:2023/11/8

描述

The (1) FileService.importFileByInternalUserId and (2) FileService.importFile SOAP API methods in Apache OpenMeetings before 3.1.1 improperly use the Java URL class without checking the specified protocol handler, which allows remote attackers to read arbitrary files by attempting to upload a file.

受影響套件(1)

Maven/org.apache.openmeetings:openmeetings-parentfrom 0, < 3.1.1

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

參考連結(5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2016-2164
PATCHhttps://github.com/apache/openmeetings
WEBhttp://openmeetings.apache.org/security.html
WEBhttp://packetstormsecurity.com/files/136434/Apache-OpenMeetings-3.0.7-Arbitary-File-Read.html
WEBhttps://www.apache.org/dist/openmeetings/3.1.1/CHANGELOG