Vulnerability Description
In Eclipse RAP versions from 3.0.0 up to and including 3.25.0, Remote Code Execution is possible on Windows when using the FileUpload component. The reason for this is a not completely secure extraction of the file name in the FileUploadProcessor.stripFileName(String name) method. As soon as this finds a / in the path, everything before it is removed, but potentially \ (backslashes) coming further back are kept. For example, a file name such as /..\..\webapps\shell.war can be used to upload a file to a Tomcat server under Windows, which is then saved as ..\..\webapps\shell.war in its webapps directory and can then be executed.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Eclipse | Remote Application Platform | >= 3.0.0, <= 3.25.0 |
Related Weaknesses (CWE)
References
- https://github.com/eclipse-rap/org.eclipse.rap/pull/141Issue TrackingPatch
- https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/160ExploitIssue Tracking
- https://github.com/eclipse-rap/org.eclipse.rap/pull/141Issue TrackingPatch
- https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/160ExploitIssue Tracking
FAQ
What is CVE-2023-4760?
CVE-2023-4760 is a vulnerability with a CVSS score of 7.6 (HIGH). In Eclipse RAP versions from 3.0.0 up to and including 3.25.0, Remote Code Execution is possible on Windows when using the FileUpload component. The reason for this is a not completely secure ex...
How severe is CVE-2023-4760?
CVE-2023-4760 has been rated HIGH with a CVSS base score of 7.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-4760?
Check the references section above for vendor advisories and patch information. Affected products include: Eclipse Remote Application Platform.