Lucene search

GoogleOSV:CVE-2023-4760

HistorySep 21, 2023 - 8:15 a.m.

CVE-2023-4760

2023-09-2108:15:09

Google

osv.dev

eclipse rap

windows

fileupload

remote code execution

security vulnerability

cve-2023-4760

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.8

Confidence

Low

EPSS

0.004

Percentile

74.1%

JSON

In Eclipse RAP versions from 3.0.0 up to and including 3.25.0, Remote Code Execution is possible on Windows when using the FileUpload component.

The reason for this is a not completely secure extraction of the file name in the FileUploadProcessor.stripFileName(String name) method. As soon as this finds a / in the path, everything before it is removed, but potentially \ (backslashes) coming further back are kept.

For example, a file name such as /…..\webapps\shell.war can be used to upload a file to a Tomcat server under Windows, which is then saved as …..\webapps\shell.war in its webapps directory and can then be executed.

References

github.com/eclipse-rap/org.eclipse.rap/pull/141

gitlab.eclipse.org/security/vulnerability-reports/-/issues/160

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.8

Confidence

Low

EPSS

0.004

Percentile

74.1%

JSON

Related for OSV:CVE-2023-4760