Malicious code execution via path traversal in Apache Software Foundation Apache Sling Servlets Resolver.This issue affects all version of Apache Sling Servlets Resolver before 2.11.0. However, whether a system is vulnerable to this attack depends on the exact configuration of the system.
If the system is vulnerable, a user with write access to the repository might be able to trick the Sling Servlet Resolver to load a previously uploaded script.
Users are recommended to upgrade to version 2.11.0, which fixes this issue. It is recommended to upgrade, regardless of whether your system configuration currently allows this attack or not.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2024/02/06/1 | Mailing List |
https://lists.apache.org/thread/5zzx8ztwc6tmbwlw80m2pbrp3913l2kl | Mailing List |
http://www.openwall.com/lists/oss-security/2024/02/06/1 | Mailing List |
https://lists.apache.org/thread/5zzx8ztwc6tmbwlw80m2pbrp3913l2kl | Mailing List |
Configurations
History
21 Nov 2024, 08:58
Type | Values Removed | Values Added |
---|---|---|
References | () http://www.openwall.com/lists/oss-security/2024/02/06/1 - Mailing List | |
References | () https://lists.apache.org/thread/5zzx8ztwc6tmbwlw80m2pbrp3913l2kl - Mailing List | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.5 |
14 Feb 2024, 00:26
Type | Values Removed | Values Added |
---|---|---|
References | () http://www.openwall.com/lists/oss-security/2024/02/06/1 - Mailing List | |
References | () https://lists.apache.org/thread/5zzx8ztwc6tmbwlw80m2pbrp3913l2kl - Mailing List | |
First Time |
Apache sling Servlets Resolver
Apache |
|
CPE | cpe:2.3:a:apache:sling_servlets_resolver:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
06 Feb 2024, 14:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
06 Feb 2024, 13:53
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
06 Feb 2024, 10:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-02-06 10:15
Updated : 2024-11-21 08:58
NVD link : CVE-2024-23673
Mitre link : CVE-2024-23673
CVE.ORG link : CVE-2024-23673
JSON object : View
Products Affected
apache
- sling_servlets_resolver
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')