[CVE-2016-2164] Arbitrary file read via SOAP API Mar 25 2016 09:57AM
Maxim Solodovnik (solomax apache org)
Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected: Apache OpenMeetings 1.9.x - 3.0.7

When attempting to upload a file via the API using the
or importFile methods in the FileService, it is possible to read arbitrary
files from the system. This is due to that Java's URL class is used without
checking what protocol handler is specified in the API call.

All users are recommended to upgrade to Apache OpenMeetings 3.1.1

Credit: This issue was identified by Andreas Lindh

Apache OpenMeetings Team

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus