Vulnerability Details CVE-2019-17352
In JFinal cos before 2019-08-13, as used in JFinal 4.4, there is a vulnerability that can bypass the isSafeFile() function: one can upload any type of file. For example, a .jsp file may be stored and almost immediately deleted, but this deletion step does not occur for certain exceptions.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 52.0%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- https://gitee.com/jfinal/cos/commit/5eb23d6e384abaad19faa7600d14c9a2f525946a
- https://gitee.com/jfinal/cos/commit/8d26eec61f0d072a68bf7393cf3a8544a1112130
- https://github.com/jfinal/jfinal/issues/171
- https://gitee.com/jfinal/cos/commit/5eb23d6e384abaad19faa7600d14c9a2f525946a
- https://gitee.com/jfinal/cos/commit/8d26eec61f0d072a68bf7393cf3a8544a1112130
- https://github.com/jfinal/jfinal/issues/171
Products affected by CVE-2019-17352
-
cpe:2.3:a:jfinal:jfinal:-
-
cpe:2.3:a:jfinal:jfinal:1.2
-
cpe:2.3:a:jfinal:jfinal:1.3
-
cpe:2.3:a:jfinal:jfinal:1.4
-
cpe:2.3:a:jfinal:jfinal:1.5
-
cpe:2.3:a:jfinal:jfinal:1.6
-
cpe:2.3:a:jfinal:jfinal:1.8
-
cpe:2.3:a:jfinal:jfinal:1.9
-
cpe:2.3:a:jfinal:jfinal:2.0
-
cpe:2.3:a:jfinal:jfinal:2.1
-
cpe:2.3:a:jfinal:jfinal:2.2
-
cpe:2.3:a:jfinal:jfinal:3.0
-
cpe:2.3:a:jfinal:jfinal:3.1
-
cpe:2.3:a:jfinal:jfinal:3.2
-
cpe:2.3:a:jfinal:jfinal:3.4
-
cpe:2.3:a:jfinal:jfinal:3.5
-
cpe:2.3:a:jfinal:jfinal:3.6
-
cpe:2.3:a:jfinal:jfinal:3.7
-
cpe:2.3:a:jfinal:jfinal:3.8
-
cpe:2.3:a:jfinal:jfinal:4.1
-
cpe:2.3:a:jfinal:jfinal:4.2
-
cpe:2.3:a:jfinal:jfinal:4.3