Apache OpenMeetings allows remote attackers to read arbitrary files by attempting to upload a file
High severity
GitHub Reviewed
Published
May 14, 2022
to the GitHub Advisory Database
•
Updated Feb 2, 2023
Package
Affected versions
< 3.1.1
Patched versions
3.1.1
Description
Published by the National Vulnerability Database
Apr 11, 2016
Published to the GitHub Advisory Database
May 14, 2022
Reviewed
Nov 22, 2022
Last updated
Feb 2, 2023
The (1) FileService.importFileByInternalUserId and (2) FileService.importFile SOAP API methods in Apache OpenMeetings before 3.1.1 improperly use the Java URL class without checking the specified protocol handler, which allows remote attackers to read arbitrary files by attempting to upload a file.
References