CVE-2023-4760 - Vulnerability Details - OpenCVE

In Eclipse RAP versions from 3.0.0 up to and including 3.25.0, Remote Code Execution is possible on Windows when using the FileUpload component. The reason for this is a not completely secure extraction of the file name in the FileUploadProcessor.stripFileName(String name) method. As soon as this finds a / in the path, everything before it is removed, but potentially \ (backslashes) coming further back are kept. For example, a file name such as /..\..\webapps\shell.war can be used to upload a file to a Tomcat server under Windows, which is then saved as ..\..\webapps\shell.war in its webapps directory and can then be executed.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Eclipse	Remote Application Platform

Configuration 1 [-]

cpe:2.3:a:eclipse:remote_application_platform:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/eclipse-rap/org.eclipse.rap/pull/141
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/160

History

Tue, 24 Sep 2024 17:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: eclipse

Published: 2023-09-21T07:35:35.790Z

Updated: 2024-09-24T16:26:06.907Z

Reserved: 2023-09-04T16:06:47.588Z

Link: CVE-2023-4760

Vulnrichment

Updated: 2024-08-02T07:37:59.919Z

NVD

Status : Modified

Published: 2023-09-21T08:15:09.403

Modified: 2024-11-21T08:35:55.317

Link: CVE-2023-4760

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-4760", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "state": "PUBLISHED", "assignerShortName": "eclipse", "dateReserved": "2023-09-04T16:06:47.588Z", "datePublished": "2023-09-21T07:35:35.790Z", "dateUpdated": "2024-09-24T16:26:06.907Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows"], "product": "Eclipse RAP", "vendor": "Eclipse Foundation", "versions": [{"lessThanOrEqual": "3.25.0", "status": "affected", "version": "3.0.0", "versionType": "semver"}]}], "datePublic": "2023-09-21T07:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>In Eclipse RAP versions from 3.0.0 up to and including 3.25.0, Remote Code Execution is possible on Windows when using the FileUpload component.<br>\n</div><div><br></div><div>The reason for this is a not completely secure extraction of the file name in the <code>FileUploadProcessor.stripFileName(String name)</code> method. As soon as this finds a <code>/</code> in the path, everything before it is removed, but potentially <code>\\</code> (backslashes) coming further back are kept.<br>\nFor example, a file name such as <code>/..\\..\\webapps\\shell.war</code> can be used to upload a file to a Tomcat server under Windows, which is then saved as <code>..\\..\\webapps\\shell.war</code> in its <code>webapps</code> directory and can then be executed.<br></div>"}], "value": "In Eclipse RAP versions from 3.0.0 up to and including 3.25.0, Remote Code Execution is possible on Windows when using the FileUpload component.\n\n\n\n\n\n\nThe reason for this is a not completely secure extraction of the file name in the FileUploadProcessor.stripFileName(String name) method. As soon as this finds a / in the path, everything before it is removed, but potentially \\ (backslashes) coming further back are kept.\n\nFor example, a file name such as /..\\..\\webapps\\shell.war can be used to upload a file to a Tomcat server under Windows, which is then saved as ..\\..\\webapps\\shell.war in its webapps directory and can then be executed.\n\n\n"}], "impacts": [{"capecId": "CAPEC-154", "descriptions": [{"lang": "en", "value": "CAPEC-154 Resource Location Spoofing"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-23", "description": "CWE-23 Relative Path Traversal", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2023-09-21T07:35:35.790Z"}, "references": [{"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/160"}, {"url": "https://github.com/eclipse-rap/org.eclipse.rap/pull/141"}], "source": {"discovery": "UNKNOWN"}, "title": "Remote Code Execution in Eclipse RAP on Windows", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:37:59.919Z"}, "title": "CVE Program Container", "references": [{"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/160", "tags": ["x_transferred"]}, {"url": "https://github.com/eclipse-rap/org.eclipse.rap/pull/141", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-24T16:25:22.581958Z", "id": "CVE-2023-4760", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-24T16:26:06.907Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/160", "tags": ["x_transferred"]}, {"url": "https://github.com/eclipse-rap/org.eclipse.rap/pull/141", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:37:59.919Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-4760", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-24T16:25:22.581958Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-24T16:26:01.241Z"}}], "cna": {"title": "Remote Code Execution in Eclipse RAP on Windows", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-154", "descriptions": [{"lang": "en", "value": "CAPEC-154 Resource Location Spoofing"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Eclipse Foundation", "product": "Eclipse RAP", "versions": [{"status": "affected", "version": "3.0.0", "versionType": "semver", "lessThanOrEqual": "3.25.0"}], "platforms": ["Windows"], "defaultStatus": "unaffected"}], "datePublic": "2023-09-21T07:00:00.000Z", "references": [{"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/160"}, {"url": "https://github.com/eclipse-rap/org.eclipse.rap/pull/141"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "In Eclipse RAP versions from 3.0.0 up to and including 3.25.0, Remote Code Execution is possible on Windows when using the FileUpload component.\n\n\n\n\n\n\nThe reason for this is a not completely secure extraction of the file name in the FileUploadProcessor.stripFileName(String name) method. As soon as this finds a / in the path, everything before it is removed, but potentially \\ (backslashes) coming further back are kept.\n\nFor example, a file name such as /..\\..\\webapps\\shell.war can be used to upload a file to a Tomcat server under Windows, which is then saved as ..\\..\\webapps\\shell.war in its webapps directory and can then be executed.\n\n\n", "supportingMedia": [{"type": "text/html", "value": "<div>In Eclipse RAP versions from 3.0.0 up to and including 3.25.0, Remote Code Execution is possible on Windows when using the FileUpload component.<br>\n</div><div><br></div><div>The reason for this is a not completely secure extraction of the file name in the <code>FileUploadProcessor.stripFileName(String name)</code> method. As soon as this finds a <code>/</code> in the path, everything before it is removed, but potentially <code>\\</code> (backslashes) coming further back are kept.<br>\nFor example, a file name such as <code>/..\\..\\webapps\\shell.war</code> can be used to upload a file to a Tomcat server under Windows, which is then saved as <code>..\\..\\webapps\\shell.war</code> in its <code>webapps</code> directory and can then be executed.<br></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-23", "description": "CWE-23 Relative Path Traversal"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2023-09-21T07:35:35.790Z"}}}, "cveMetadata": {"cveId": "CVE-2023-4760", "state": "PUBLISHED", "dateUpdated": "2024-09-24T16:26:06.907Z", "dateReserved": "2023-09-04T16:06:47.588Z", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "datePublished": "2023-09-21T07:35:35.790Z", "assignerShortName": "eclipse"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eclipse:remote_application_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "11B55478-B8C8-47E0-B87D-7A02BB498FCD", "versionEndIncluding": "3.25.0", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Eclipse RAP versions from 3.0.0 up to and including 3.25.0, Remote Code Execution is possible on Windows when using the FileUpload component.\n\n\n\n\n\n\nThe reason for this is a not completely secure extraction of the file name in the FileUploadProcessor.stripFileName(String name) method. As soon as this finds a / in the path, everything before it is removed, but potentially \\ (backslashes) coming further back are kept.\n\nFor example, a file name such as /..\\..\\webapps\\shell.war can be used to upload a file to a Tomcat server under Windows, which is then saved as ..\\..\\webapps\\shell.war in its webapps directory and can then be executed.\n\n\n"}, {"lang": "es", "value": "En las versiones de Eclipse RAP desde 3.0.0 hasta 3.25.0 incluida, la Ejecuci\u00f3n Remota de C\u00f3digo es posible en Windows cuando se utiliza el componente FileUpload. La raz\u00f3n de esto es una extracci\u00f3n no completamente segura del nombre del archivo en el m\u00e9todo FileUploadProcessor.stripFileName(String name). Tan pronto como esto encuentre una/en la ruta, todo lo anterior se elimina, pero potencialmente \\ (barras invertidas) que vienen m\u00e1s atr\u00e1s se mantienen. Por ejemplo, se puede utilizar un nombre de archivo como /..\\..\\webapps\\shell.war para cargar un archivo en un servidor Tomcat en Windows, que luego se guarda como ..\\..\\webapps\\shell.war. en su directorio webapps y luego se puede ejecutar.\n"}], "id": "CVE-2023-4760", "lastModified": "2024-11-21T08:35:55.317", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "emo@eclipse.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-09-21T08:15:09.403", "references": [{"source": "emo@eclipse.org", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/eclipse-rap/org.eclipse.rap/pull/141"}, {"source": "emo@eclipse.org", "tags": ["Exploit", "Issue Tracking"], "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/160"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/eclipse-rap/org.eclipse.rap/pull/141"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking"], "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/160"}], "sourceIdentifier": "emo@eclipse.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-23"}], "source": "emo@eclipse.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}