Vulnerability Details CVE-2014-8114
The UberFire Framework 0.3.x does not properly restrict paths, which allows remote attackers to (1) execute arbitrary code by uploading crafted content to FileUploadServlet or (2) read arbitrary files via vectors involving FileDownloadServlet.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.018
EPSS Ranking 81.8%
CVSS Severity
CVSS v2 Score 6.8
References
- http://rhn.redhat.com/errata/RHSA-2015-0234.html
- http://rhn.redhat.com/errata/RHSA-2015-0235.html
- http://www.securityfocus.com/bid/88199
- https://github.com/uberfire/uberfire/commit/21ec50eb15
- http://rhn.redhat.com/errata/RHSA-2015-0234.html
- http://rhn.redhat.com/errata/RHSA-2015-0235.html
- http://www.securityfocus.com/bid/88199
- https://github.com/uberfire/uberfire/commit/21ec50eb15
Products affected by CVE-2014-8114
-
cpe:2.3:a:redhat:uberfire:0.3.0
-
cpe:2.3:a:redhat:uberfire:0.3.1
-
cpe:2.3:a:redhat:uberfire:0.3.2
-
cpe:2.3:a:redhat:uberfire:0.3.3