incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Neng Lu <freen...@gmail.com>
Subject [CVE-2018-11789] Apache Incubator Heron file access vulnerability
Date Wed, 06 Mar 2019 22:22:45 GMT
Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Heron 0.13.0 to 0.17.8

Description:
When accessing the heron-ui webpage, people can modify the file paths
outside of the current container to access any file on the host.

Mitigation:
All Heron users should upgrade to 0.20.0-incubating

Example:
modify the parameter path= to go to the directory you would like to view.
i.e. ..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd

Credit:
This issue was discovered by Windham Wong of stormeye.io

-- 
Best Regards,
Neng

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message