QwikSec

Security Database

CVE

CWE

Training

CVE-2016-0709

Published: Apr 11, 2016

Modified: Aug 5, 2024

PUBLISHED

Description

Directory traversal vulnerability in the Import/Export function in the Portal Site Manager in Apache Jetspeed before 2.3.1 allows remote authenticated administrators to write to arbitrary files, and consequently execute arbitrary code, via a .. (dot dot) in a ZIP archive entry, as demonstrated by "../../webapps/x.jsp."

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

exploit

x_refsource_EXPLOIT-DB

https://portals.apache.org/jetspeed-2/security-reports.html#CVE-2016-0709

x_refsource_CONFIRM

[portals-jetspeed-user] 20160303 [CVE-2016-0709] Apache Jetspeed information disclosure vulnerability

mailing-list

x_refsource_MLIST

http://haxx.ml/post/140552592371/remote-code-execution-in-apache-jetspeed-230-and

x_refsource_MISC

http://www.rapid7.com/db/modules/exploit/multi/http/apache_jetspeed_file_upload

x_refsource_MISC

http://packetstormsecurity.com/files/136489/Apache-Jetspeed-Arbitrary-File-Upload.html

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.