Main Vulnerability Database SB2017103017

SB2017103017 - Path traversal in Baofeng Storm

Published: October 30, 2017 Updated: August 8, 2020

Security Bulletin ID SB2017103017

Severity

Medium

Patch available

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Path traversal (CVE-ID: CVE-2014-0115)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in the log viewer in Apache Storm 0.9.0.1. A remote authenticated attacker can send a specially crafted HTTP request and remote attackers to read arbitrary files via a . (dot dot) in the file parameter to log.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

https://issues.apache.org/jira/browse/STORM-269
https://mail-archives.apache.org/mod_mbox/storm-dev/201404.mbox/%3CJIRA.12704141.1395964296891.201561.1398799995645@arcas%3E