cnvd - cnvd-2019-09279

cnvd-2019-09279

Vulnerability from cnvd

Title: Apache JSPWiki信息泄露漏洞

Description:

Apache JSPWiki是美国阿帕奇（Apache）软件基金会的一款基于Java、Servlet和JSP构建的开源WikiWiki引擎。

Apache JSPWiki 2.9.0版本至2.11.0.M2版本中存在安全漏洞。攻击者可借助特制的URL利用该漏洞获取注册用户的详细信息。

Severity: 高

Patch Name: Apache JSPWiki信息泄露漏洞的补丁

Patch Description:

Apache JSPWiki是美国阿帕奇（Apache）软件基金会的一款基于Java、Servlet和JSP构建的开源WikiWiki引擎。

Apache JSPWiki 2.9.0版本至2.11.0.M2版本中存在安全漏洞。攻击者可借助特制的URL利用该漏洞获取注册用户的详细信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-0225

Reference: https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-0225

Impacted products

Name
Apache JSPWiki >=2.9.0，<=2.11.0.M2

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-0225"
    }
  },
  "description": "Apache JSPWiki\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u57fa\u4e8eJava\u3001Servlet\u548cJSP\u6784\u5efa\u7684\u5f00\u6e90WikiWiki\u5f15\u64ce\u3002\n\nApache JSPWiki 2.9.0\u7248\u672c\u81f32.11.0.M2\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u501f\u52a9\u7279\u5236\u7684URL\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u6ce8\u518c\u7528\u6237\u7684\u8be6\u7ec6\u4fe1\u606f\u3002",
  "discovererName": "Muthukumar Marikani, from ZOHO-CRM Security Team",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-0225",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-09279",
  "openTime": "2019-04-01",
  "patchDescription": "Apache JSPWiki\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u57fa\u4e8eJava\u3001Servlet\u548cJSP\u6784\u5efa\u7684\u5f00\u6e90WikiWiki\u5f15\u64ce\u3002\r\n\r\nApache JSPWiki 2.9.0\u7248\u672c\u81f32.11.0.M2\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u501f\u52a9\u7279\u5236\u7684URL\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u6ce8\u518c\u7528\u6237\u7684\u8be6\u7ec6\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache JSPWiki\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Apache JSPWiki \u003e=2.9.0\uff0c\u003c=2.11.0.M2"
  },
  "referenceLink": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-0225",
  "serverity": "\u9ad8",
  "submitTime": "2019-04-01",
  "title": "Apache JSPWiki\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

CVE-2019-0225 (GCVE-0-2019-0225)

Vulnerability from cvelistv5

Published

2019-03-28 21:07

Modified

2024-08-04 17:44

Severity ?

CWE

Local File Inclusion (limited ROOT folder) vulnerability leads to user information disclosure

Summary

A specially crafted url could be used to access files under the ROOT directory of the application on Apache JSPWiki 2.9.0 to 2.11.0.M2, which could be used by an attacker to obtain registered users' details.

References

▼	URL	Tags
	https://lists.apache.org/thread.html/4f19fdbd8b9c4caf6137a459d723f4ec60379b033ed69277eb4e0af9%40%3Cuser.jspwiki.apache.org%3E	mailing-list, x_refsource_MLIST
	https://lists.apache.org/thread.html/6251c06cb11e0b495066be73856592dbd7ed712487ef283d10972831%40%3Cdev.jspwiki.apache.org%3E	mailing-list, x_refsource_MLIST
	http://www.openwall.com/lists/oss-security/2019/03/26/2	mailing-list, x_refsource_MLIST
	https://lists.apache.org/thread.html/03ddbcb1d6322e04734e65805a147a32bcfdb71b8fc5821fb046ba8d%40%3Cannounce.apache.org%3E	mailing-list, x_refsource_MLIST
	https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-0225	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/107627	vdb-entry, x_refsource_BID
	https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1%40%3Ccommits.jspwiki.apache.org%3E	mailing-list, x_refsource_MLIST
	https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E	mailing-list, x_refsource_MLIST

Impacted products

	Vendor	Product	Version
	Apache	Apache JSPWiki	Version: Apache JSPWiki 2.9.0 to 2.11.0.M2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T17:44:15.389Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "[jspwiki-user] 20190326 [CVE-2019-0225] Apache JSPWiki Local File Inclusion (limited ROOT folder) vulnerability leads to user information disclosure",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/4f19fdbd8b9c4caf6137a459d723f4ec60379b033ed69277eb4e0af9%40%3Cuser.jspwiki.apache.org%3E"
          },
          {
            "name": "[jspwiki-dev] 20190326 [CVE-2019-0225] Apache JSPWiki Local File Inclusion (limited ROOT folder) vulnerability leads to user information disclosure",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/6251c06cb11e0b495066be73856592dbd7ed712487ef283d10972831%40%3Cdev.jspwiki.apache.org%3E"
          },
          {
            "name": "[oss-security] 20190326 [CVE-2019-0225] Apache JSPWiki Local File Inclusion (limited ROOT folder) vulnerability leads to user information disclosure",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2019/03/26/2"
          },
          {
            "name": "[announce] 20190326 [CVE-2019-0225] Apache JSPWiki Local File Inclusion (limited ROOT folder) vulnerability leads to user information disclosure",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/03ddbcb1d6322e04734e65805a147a32bcfdb71b8fc5821fb046ba8d%40%3Cannounce.apache.org%3E"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-0225"
          },
          {
            "name": "107627",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/107627"
          },
          {
            "name": "[jspwiki-commits] 20190329 [jspwiki-site] branch jbake updated: add CVE-2019-0224 and CVE-2019-0225 vulnerability disclosures",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1%40%3Ccommits.jspwiki.apache.org%3E"
          },
          {
            "name": "[jspwiki-commits] 20190519 [jspwiki-site] branch jbake updated: added CVE-2019-10076, CVE-2019-10077 and CVE-2019-10078 vulnerability disclosures",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache JSPWiki",
          "vendor": "Apache",
          "versions": [
            {
              "status": "affected",
              "version": "Apache JSPWiki 2.9.0 to 2.11.0.M2"
            }
          ]
        }
      ],
      "datePublic": "2019-03-25T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A specially crafted url could be used to access files under the ROOT directory of the application on Apache JSPWiki 2.9.0 to 2.11.0.M2, which could be used by an attacker to obtain registered users\u0027 details."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Local File Inclusion (limited ROOT folder) vulnerability leads to user information disclosure",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-05-19T17:06:00",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "name": "[jspwiki-user] 20190326 [CVE-2019-0225] Apache JSPWiki Local File Inclusion (limited ROOT folder) vulnerability leads to user information disclosure",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/4f19fdbd8b9c4caf6137a459d723f4ec60379b033ed69277eb4e0af9%40%3Cuser.jspwiki.apache.org%3E"
        },
        {
          "name": "[jspwiki-dev] 20190326 [CVE-2019-0225] Apache JSPWiki Local File Inclusion (limited ROOT folder) vulnerability leads to user information disclosure",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/6251c06cb11e0b495066be73856592dbd7ed712487ef283d10972831%40%3Cdev.jspwiki.apache.org%3E"
        },
        {
          "name": "[oss-security] 20190326 [CVE-2019-0225] Apache JSPWiki Local File Inclusion (limited ROOT folder) vulnerability leads to user information disclosure",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2019/03/26/2"
        },
        {
          "name": "[announce] 20190326 [CVE-2019-0225] Apache JSPWiki Local File Inclusion (limited ROOT folder) vulnerability leads to user information disclosure",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/03ddbcb1d6322e04734e65805a147a32bcfdb71b8fc5821fb046ba8d%40%3Cannounce.apache.org%3E"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-0225"
        },
        {
          "name": "107627",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/107627"
        },
        {
          "name": "[jspwiki-commits] 20190329 [jspwiki-site] branch jbake updated: add CVE-2019-0224 and CVE-2019-0225 vulnerability disclosures",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1%40%3Ccommits.jspwiki.apache.org%3E"
        },
        {
          "name": "[jspwiki-commits] 20190519 [jspwiki-site] branch jbake updated: added CVE-2019-10076, CVE-2019-10077 and CVE-2019-10078 vulnerability disclosures",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2019-0225",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache JSPWiki",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Apache JSPWiki 2.9.0 to 2.11.0.M2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A specially crafted url could be used to access files under the ROOT directory of the application on Apache JSPWiki 2.9.0 to 2.11.0.M2, which could be used by an attacker to obtain registered users\u0027 details."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Local File Inclusion (limited ROOT folder) vulnerability leads to user information disclosure"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[jspwiki-user] 20190326 [CVE-2019-0225] Apache JSPWiki Local File Inclusion (limited ROOT folder) vulnerability leads to user information disclosure",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/4f19fdbd8b9c4caf6137a459d723f4ec60379b033ed69277eb4e0af9@%3Cuser.jspwiki.apache.org%3E"
            },
            {
              "name": "[jspwiki-dev] 20190326 [CVE-2019-0225] Apache JSPWiki Local File Inclusion (limited ROOT folder) vulnerability leads to user information disclosure",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/6251c06cb11e0b495066be73856592dbd7ed712487ef283d10972831@%3Cdev.jspwiki.apache.org%3E"
            },
            {
              "name": "[oss-security] 20190326 [CVE-2019-0225] Apache JSPWiki Local File Inclusion (limited ROOT folder) vulnerability leads to user information disclosure",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2019/03/26/2"
            },
            {
              "name": "[announce] 20190326 [CVE-2019-0225] Apache JSPWiki Local File Inclusion (limited ROOT folder) vulnerability leads to user information disclosure",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/03ddbcb1d6322e04734e65805a147a32bcfdb71b8fc5821fb046ba8d@%3Cannounce.apache.org%3E"
            },
            {
              "name": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-0225",
              "refsource": "CONFIRM",
              "url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-0225"
            },
            {
              "name": "107627",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/107627"
            },
            {
              "name": "[jspwiki-commits] 20190329 [jspwiki-site] branch jbake updated: add CVE-2019-0224 and CVE-2019-0225 vulnerability disclosures",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1@%3Ccommits.jspwiki.apache.org%3E"
            },
            {
              "name": "[jspwiki-commits] 20190519 [jspwiki-site] branch jbake updated: added CVE-2019-10076, CVE-2019-10077 and CVE-2019-10078 vulnerability disclosures",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16@%3Ccommits.jspwiki.apache.org%3E"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2019-0225",
    "datePublished": "2019-03-28T21:07:57",
    "dateReserved": "2018-11-14T00:00:00",
    "dateUpdated": "2024-08-04T17:44:15.389Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted