Vulnerability Details CVE-2018-11789
When accessing the heron-ui webpage, people can modify the file paths outside of the current container to access any file on the host. Example woule be modifying the parameter path= to go to the directory you would like to view. i.e. ..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.022
EPSS Ranking 83.9%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 7.8
References
- http://www.securityfocus.com/bid/107430
- https://lists.apache.org/thread.html/5ea1a102d87a47c5912d745fa0d5dfa2830fc94099cbc30911f095b9%40%3Cdev.heron.apache.org%3E
- http://www.securityfocus.com/bid/107430
- https://lists.apache.org/thread.html/5ea1a102d87a47c5912d745fa0d5dfa2830fc94099cbc30911f095b9%40%3Cdev.heron.apache.org%3E
Products affected by CVE-2018-11789
-
cpe:2.3:a:apache:heron:0.13.1
-
cpe:2.3:a:apache:heron:0.13.2
-
cpe:2.3:a:apache:heron:0.13.3
-
cpe:2.3:a:apache:heron:0.13.4
-
cpe:2.3:a:apache:heron:0.13.5
-
cpe:2.3:a:apache:heron:0.13.6
-
cpe:2.3:a:apache:heron:0.13.7
-
cpe:2.3:a:apache:heron:0.14.0
-
cpe:2.3:a:apache:heron:0.14.1
-
cpe:2.3:a:apache:heron:0.14.10
-
cpe:2.3:a:apache:heron:0.14.11
-
cpe:2.3:a:apache:heron:0.14.12
-
cpe:2.3:a:apache:heron:0.14.2
-
cpe:2.3:a:apache:heron:0.14.3
-
cpe:2.3:a:apache:heron:0.14.4
-
cpe:2.3:a:apache:heron:0.14.5
-
cpe:2.3:a:apache:heron:0.14.6
-
cpe:2.3:a:apache:heron:0.14.6.1
-
cpe:2.3:a:apache:heron:0.14.6.2
-
cpe:2.3:a:apache:heron:0.14.6.3
-
cpe:2.3:a:apache:heron:0.14.7
-
cpe:2.3:a:apache:heron:0.14.7.1
-
cpe:2.3:a:apache:heron:0.14.7.2
-
cpe:2.3:a:apache:heron:0.14.7.3
-
cpe:2.3:a:apache:heron:0.14.8
-
cpe:2.3:a:apache:heron:0.14.9
-
cpe:2.3:a:apache:heron:0.14.9.1
-
cpe:2.3:a:apache:heron:0.15.0
-
cpe:2.3:a:apache:heron:0.15.1
-
cpe:2.3:a:apache:heron:0.15.1.1
-
cpe:2.3:a:apache:heron:0.15.1.2
-
cpe:2.3:a:apache:heron:0.15.1.3
-
cpe:2.3:a:apache:heron:0.15.1.4
-
cpe:2.3:a:apache:heron:0.15.1.5
-
cpe:2.3:a:apache:heron:0.15.2
-
cpe:2.3:a:apache:heron:0.15.3
-
cpe:2.3:a:apache:heron:0.16.0
-
cpe:2.3:a:apache:heron:0.16.0.1
-
cpe:2.3:a:apache:heron:0.16.1
-
cpe:2.3:a:apache:heron:0.16.2
-
cpe:2.3:a:apache:heron:0.16.3
-
cpe:2.3:a:apache:heron:0.16.4
-
cpe:2.3:a:apache:heron:0.16.4.1
-
cpe:2.3:a:apache:heron:0.16.4.2
-
cpe:2.3:a:apache:heron:0.16.4.3
-
cpe:2.3:a:apache:heron:0.16.5
-
cpe:2.3:a:apache:heron:0.16.5.1
-
cpe:2.3:a:apache:heron:0.16.5.2
-
cpe:2.3:a:apache:heron:0.16.5.3
-
cpe:2.3:a:apache:heron:0.17.0
-
cpe:2.3:a:apache:heron:0.17.0.1
-
cpe:2.3:a:apache:heron:0.17.0.2
-
cpe:2.3:a:apache:heron:0.17.0.3
-
cpe:2.3:a:apache:heron:0.17.0.4
-
cpe:2.3:a:apache:heron:0.17.0.5
-
cpe:2.3:a:apache:heron:0.17.0.6
-
cpe:2.3:a:apache:heron:0.17.1
-
cpe:2.3:a:apache:heron:0.17.2
-
cpe:2.3:a:apache:heron:0.17.2.1
-
cpe:2.3:a:apache:heron:0.17.2.2
-
cpe:2.3:a:apache:heron:0.17.3
-
cpe:2.3:a:apache:heron:0.17.3.1
-
cpe:2.3:a:apache:heron:0.17.4
-
cpe:2.3:a:apache:heron:0.17.4.1
-
cpe:2.3:a:apache:heron:0.17.5
-
cpe:2.3:a:apache:heron:0.17.5.1
-
cpe:2.3:a:apache:heron:0.17.6
-
cpe:2.3:a:apache:heron:0.17.7
-
cpe:2.3:a:apache:heron:0.17.8