Vulnerability Description
The (1) FileService.importFileByInternalUserId and (2) FileService.importFile SOAP API methods in Apache OpenMeetings before 3.1.1 improperly use the Java URL class without checking the specified protocol handler, which allows remote attackers to read arbitrary files by attempting to upload a file.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Openmeetings | <= 3.1.0 |
Related Weaknesses (CWE)
References
- http://openmeetings.apache.org/security.htmlPatchVendor Advisory
- http://packetstormsecurity.com/files/136434/Apache-OpenMeetings-3.0.7-Arbitary-F
- http://www.securityfocus.com/archive/1/537887/100/0/threaded
- https://www.apache.org/dist/openmeetings/3.1.1/CHANGELOG
- http://openmeetings.apache.org/security.htmlPatchVendor Advisory
- http://packetstormsecurity.com/files/136434/Apache-OpenMeetings-3.0.7-Arbitary-F
- http://www.securityfocus.com/archive/1/537887/100/0/threaded
- https://www.apache.org/dist/openmeetings/3.1.1/CHANGELOG
FAQ
What is CVE-2016-2164?
CVE-2016-2164 is a vulnerability with a CVSS score of 7.5 (HIGH). The (1) FileService.importFileByInternalUserId and (2) FileService.importFile SOAP API methods in Apache OpenMeetings before 3.1.1 improperly use the Java URL class without checking the specified prot...
How severe is CVE-2016-2164?
CVE-2016-2164 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-2164?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Openmeetings.