CVE-2023-4760
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.7 High
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
66.3%
In Eclipse RAP versions from 3.0.0 up to and including 3.25.0, Remote Code Execution is possible on Windows when using the FileUpload component.
The reason for this is a not completely secure extraction of the file name in the FileUploadProcessor.stripFileName(String name) method. As soon as this finds a / in the path, everything before it is removed, but potentially \ (backslashes) coming further back are kept.
For example, a file name such as /…..\webapps\shell.war can be used to upload a file to a Tomcat server under Windows, which is then saved as …..\webapps\shell.war in its webapps directory and can then be executed.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| eclipse:remote_application_platform | eclipse remote application platform | le | 3.25.0 |
CNA Affected
[
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Eclipse RAP",
"vendor": "Eclipse Foundation",
"versions": [
{
"lessThanOrEqual": "3.25.0",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
]Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.7 High
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
66.3%