CVE-2016-2164

7.5HIGH

Key Information:

Vendor: Apache
Status: Openmeetings
Vendor: CVE Published:; 11 April 2016

Summary

The (1) FileService.importFileByInternalUserId and (2) FileService.importFile SOAP API methods in Apache OpenMeetings before 3.1.1 improperly use the Java URL class without checking the specified protocol handler, which allows remote attackers to read arbitrary files by attempting to upload a file.

References

http://packetstormsecurity.com/files/136434/Apache-OpenMe...

x_refsource_MISC

https://www.apache.org/dist/openmeetings/3.1.1/CHANGELOG

x_refsource_CONFIRM

http://www.securityfocus.com/archive/1/537887/100/0/threaded

mailing-listx_refsource_BUGTRAQ

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 11, 2016
Vulnerability Reserved
Jan 29, 2016

.