[java-sig-commits] [Bug 1869682] New: CVE-2019-0233 struts: access permission override when performing a file upload leads to DoS

18 Aug 2020


      https://bugzilla.redhat.com/show_bug.cgi?id=1869682
Bug ID: 1869682
           Summary: CVE-2019-0233 struts: access permission override when
                    performing a file upload leads to DoS
           Product: Security Response
          Hardware: All
                OS: Linux
            Status: NEW
         Component: vulnerability
          Keywords: Security
          Severity: medium
          Priority: medium
          Assignee: security-response-team@redhat.com
          Reporter: gsuckevi@redhat.com
                CC: aboyko@redhat.com, aileenc@redhat.com,
                    asoldano@redhat.com, atangrin@redhat.com,
                    bbaranow@redhat.com, bmaxwell@redhat.com,
                    brian.stansberry@redhat.com, cdewolf@redhat.com,
                    chazlett@redhat.com, darran.lofthouse@redhat.com,
                    dbecker@redhat.com, dbhole@redhat.com,
                    dkreling@redhat.com, dosoudil@redhat.com,
                    eleandro@redhat.com, extras-orphan@fedoraproject.org,
                    gvarsami@redhat.com, iweiss@redhat.com,
                    java-sig-commits@lists.fedoraproject.org,
                    jawilson@redhat.com, jcoleman@redhat.com,
                    jjelen@redhat.com, jjoyce@redhat.com,
                    jochrist@redhat.com, jperkins@redhat.com,
                    jschluet@redhat.com, jwon@redhat.com,
                    kbasil@redhat.com, kconner@redhat.com,
                    krathod@redhat.com, kwills@redhat.com,
                    ldimaggi@redhat.com, lgao@redhat.com, lhh@redhat.com,
                    loleary@redhat.com, lpeer@redhat.com,
                    mburns@redhat.com, mkolesni@redhat.com,
                    mmraka@redhat.com, msochure@redhat.com,
                    msvehla@redhat.com, nwallace@redhat.com,
                    pjindal@redhat.com, pmackay@redhat.com,
                    psotirop@redhat.com, puntogil@libero.it,
                    rguimara@redhat.com, rstancel@redhat.com,
                    rsvoboda@redhat.com, rwagner@redhat.com,
                    sclewis@redhat.com, scohen@redhat.com,
                    slinaber@redhat.com, smaestri@redhat.com,
                    spinder@redhat.com, tcunning@redhat.com,
                    theute@redhat.com, tkirby@redhat.com,
                    tom.jenkinson@redhat.com
  Target Milestone: ---
    Classification: Other
When a file upload is performed to an Action that exposes the file with a
getter, an attacker may manipulate the request such that the working copy of
the uploaded file is set to read-only. As a result, subsequent actions on the
file will fail with an error. It might also be possible to set the Servlet
container's temp directory to read only, such that subsequent upload actions
will fail.
Reference:
https://cwiki.apache.org/confluence/display/WW/S2-060
-- 
You are receiving this mail because:
You are on the CC list for the bug.

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

[java-sig-commits] [Bug 1869682] New: CVE-2019-0233 struts: access permission override when performing a file upload leads to DoS