Vulnerability Description
Directory traversal vulnerability in the file import feature in Nuxeo Platform 6.0, 7.1, 7.2, and 7.3 allows remote authenticated users to upload and execute arbitrary JSP code via a .. (dot dot) in the X-File-Name header.
CVSS Score
8.8
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nuxeo | Nuxeo | 6.0 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2017/03/23/6ExploitMailing ListPatch
- http://www.securityfocus.com/bid/97083
- https://sysdream.com/news/lab/2017-03-23-cve-2017-5869-nuxeo-platform-remote-cod
- https://www.exploit-db.com/exploits/41748/
- http://www.openwall.com/lists/oss-security/2017/03/23/6ExploitMailing ListPatch
- http://www.securityfocus.com/bid/97083
- https://sysdream.com/news/lab/2017-03-23-cve-2017-5869-nuxeo-platform-remote-cod
- https://www.exploit-db.com/exploits/41748/
FAQ
What is CVE-2017-5869?
CVE-2017-5869 is a vulnerability with a CVSS score of 8.8 (HIGH). Directory traversal vulnerability in the file import feature in Nuxeo Platform 6.0, 7.1, 7.2, and 7.3 allows remote authenticated users to upload and execute arbitrary JSP code via a .. (dot dot) in t...
How severe is CVE-2017-5869?
CVE-2017-5869 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-5869?
Check the references section above for vendor advisories and patch information. Affected products include: Nuxeo Nuxeo.