CVE-2023-4760

In Eclipse RAP versions from 3.0.0 up to and including 3.25.0, Remote Code Execution is possible on Windows when using the FileUpload component. The reason for this is a not completely secure extraction of the file name in the FileUploadProcessor.stripFileName(String name) method. As soon as this finds a / in the path, everything before it is removed, but potentially \ (backslashes) coming further back are kept. For example, a file name such as /..\..\webapps\shell.war can be used to upload a file to a Tomcat server under Windows, which is then saved as ..\..\webapps\shell.war in its webapps directory and can then be executed.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/eclipse-rap/org.eclipse.rap/pull/141	Issue Tracking Patch
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/160	Exploit Issue Tracking

Configurations

Configuration 1 (hide)

cpe:2.3:a:eclipse:remote_application_platform:*:*:*:*:*:*:*:*

History

26 Sep 2023, 14:09

Type	Values Removed	Values Added
References	~~(MISC) https://github.com/eclipse-rap/org.eclipse.rap/pull/141 -~~	(MISC) https://github.com/eclipse-rap/org.eclipse.rap/pull/141 - Issue Tracking, Patch
References	~~(MISC) https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/160 -~~	(MISC) https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/160 - Exploit, Issue Tracking
CPE		cpe:2.3:a:eclipse:remote_application_platform::::::::
First Time		Eclipse remote Application Platform Eclipse
CWE		CWE-22
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8

21 Sep 2023, 08:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-09-21 08:15

Updated : 2023-12-10 15:14

NVD link : CVE-2023-4760

Mitre link : CVE-2023-4760

CVE.ORG link : CVE-2023-4760

JSON object : View

Products Affected

eclipse

remote_application_platform

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-23

Relative Path Traversal

{"id": "CVE-2023-4760", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "emo@eclipse.org", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 2.8}]}, "published": "2023-09-21T08:15:09.403", "references": [{"url": "https://github.com/eclipse-rap/org.eclipse.rap/pull/141", "tags": ["Issue Tracking", "Patch"], "source": "emo@eclipse.org"}, {"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/160", "tags": ["Exploit", "Issue Tracking"], "source": "emo@eclipse.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}, {"type": "Secondary", "source": "emo@eclipse.org", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-23"}]}], "descriptions": [{"lang": "en", "value": "In Eclipse RAP versions from 3.0.0 up to and including 3.25.0, Remote Code Execution is possible on Windows when using the FileUpload component.\n\n\n\n\n\n\nThe reason for this is a not completely secure extraction of the file name in the FileUploadProcessor.stripFileName(String name) method. As soon as this finds a / in the path, everything before it is removed, but potentially \\ (backslashes) coming further back are kept.\n\nFor example, a file name such as /..\\..\\webapps\\shell.war can be used to upload a file to a Tomcat server under Windows, which is then saved as ..\\..\\webapps\\shell.war in its webapps directory and can then be executed.\n\n\n"}, {"lang": "es", "value": "En las versiones de Eclipse RAP desde 3.0.0 hasta 3.25.0 incluida, la Ejecuci\u00f3n Remota de C\u00f3digo es posible en Windows cuando se utiliza el componente FileUpload. La raz\u00f3n de esto es una extracci\u00f3n no completamente segura del nombre del archivo en el m\u00e9todo FileUploadProcessor.stripFileName(String name). Tan pronto como esto encuentre una/en la ruta, todo lo anterior se elimina, pero potencialmente \\ (barras invertidas) que vienen m\u00e1s atr\u00e1s se mantienen. Por ejemplo, se puede utilizar un nombre de archivo como /..\\..\\webapps\\shell.war para cargar un archivo en un servidor Tomcat en Windows, que luego se guarda como ..\\..\\webapps\\shell.war. en su directorio webapps y luego se puede ejecutar.\n"}], "lastModified": "2023-09-26T14:09:03.183", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:eclipse:remote_application_platform:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "11B55478-B8C8-47E0-B87D-7A02BB498FCD", "versionEndIncluding": "3.25.0", "versionStartIncluding": "3.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "emo@eclipse.org"}