CVE-2018-11789 Information

Description

When accessing the heron-ui webpage people can modify the file paths outside of the current container to access any file on the host. Example woule be modifying the parameter path= to go to the directory you would like to view. i.e. ..2F..2F..2F..2F..2F..2Fetc2Fpasswd.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Reference

http://www.securityfocus.com/bid/107430 https://lists.apache.org/thread.html/5ea1a102d87a47c5912d745fa0d5dfa2830fc94099cbc30911f095b9@3Cdev.heron.apache.org3E

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

7.5