Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-4760: rt.rap: RCE on RAP File Upload (#160) · Issues · Eclipse Projects Security / vulnerability-reports · GitLab

In Eclipse RAP versions from 3.0.0 up to and including 3.25.0, Remote Code Execution is possible on Windows when using the FileUpload component.

The reason for this is a not completely secure extraction of the file name in the FileUploadProcessor.stripFileName(String name) method. As soon as this finds a / in the path, everything before it is removed, but potentially \ (backslashes) coming further back are kept.

For example, a file name such as /…\webapps\shell.war can be used to upload a file to a Tomcat server under Windows, which is then saved as …\webapps\shell.war in its webapps directory and can then be executed.

CVE
Open in Source
#vulnerability#web#windows#git#rce

Skip to content

GitLab

rt.rap: RCE on RAP File Upload

Reported by @melazrak at the Security mailing list

Basic information

Project name: Eclipse RAP

Project id: rt.rap

What are the affected versions?

Not communicated

Details of the issue

I noticed a security issue on org.eclipse.rap.fileupload component and I would like to inform you about it. According to your Security Policy I tried to report vulnerabilities using the Eclipse Foundation’s Bugzilla instance but when I created a new account I was asked to have at least one active component in order for me to enter a bug into the product Community. So I am reporting it to you via email.

Remote Code Execution is possible on Windows due to improper filename sanitization for features relying on servicehandler=org.eclipse.rap.fileupload mechanism. A partial sanitization of the filename name is done in the stripFileName method. When this method finds a / it removes everything before but keeps the potential \s. So for the filename “/…\webapps\shell.war” the stripFileName method keeps "…\webapps\shell.war".

Proof when running an app using RAP Fileupload on a Tomcat Server on Windows

The file is saved on webapps folder

Please feel free to ask for more details if needed.

Steps to reproduce

See above

Do you know any mitigations of the issue?

Not communicated

Reported on: August 28, 2023

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE