Path Traversal Vulnerability in XXL-CONF by XXL-JOB
CVE-2018-20094

7.5HIGH

Key Information:

Vendor: Xuxueli
Status: Xxl-conf
Vendor: CVE Published:; 12 December 2018

What is CVE-2018-20094?

A path traversal vulnerability exists in XXL-CONF 1.6.0, allowing an attacker to exploit the keys parameter and gain unauthorized access to sensitive configuration files. This flaw, linked to ConfController.java and PropUtil.java, can be exploited by manipulating file paths, enabling attackers to bypass security mechanisms and download arbitrary files from the server.

References

https://github.com/xuxueli/xxl-conf/issues/61

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability Reserved
Oct 3, 2022
Vulnerability published
Dec 12, 2018

Xuxueli

What is CVE-2018-20094?

References

CVSS V3.1

Timeline