Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVE-2018-1316

High

7.5/10

Summary

The ODE process deployment web service was sensible to deployment messages with forged names. Using a path for the name was allowing directory traversal, resulting in the potential writing of files under unwanted locations, the overwriting of existing files or their deletion. This issue was addressed in Apache ODE 1.3.3 which was released in 2009, however the incorrect name CVE-2008-2370 was used on the advisory by mistake.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-22 - Path Traversal

Path traversal (or directory traversal), is a vulnerability that allows malicious users to traverse the server's root directory, gaining access to arbitrary files and folders such as application code & data, back-end credentials, and sensitive operating system files. In the worst-case scenario, an attacker could potentially execute arbitrary files on the server, resulting in a denial of service attack. Such an exploit may severely impact the integrity, confidentiality, and availability of an application.

References

Advisory

Advisory Timeline

Published Mar 05, 2018

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVE-2018-1316

Summary

CWE-22 - Path Traversal

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS