漏洞信息详情
Apache Commons FileUpload 权限许可和访问控制问题漏洞
- CNNVD编号:CNNVD-201404-006
- 危害等级: 中危
- CVE编号: CVE-2014-0050
- 漏洞类型: 权限许可和访问控制问题
- 发布时间: 2014-04-02
- 威胁类型: 远程
- 更新时间: 2021-11-08
- 厂 商: apache
- 漏洞来源:
漏洞简介
Apache Commons FileUpload是美国阿帕奇(Apache)基金会的一个可将文件上传到Servlet和Web应用程序的软件包。
Apache Commons FileUpload 1.3.1及之前版本(用在Apache Tomcat和JBoss Web中)中的MultipartStream.java文件存在权限许可和访问控制问题漏洞。该漏洞源于网络系统或产品缺乏有效的权限许可和访问控制措施。
漏洞公告
目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
http://svn.apache.org/viewvc?view=revision&revision=r1565143
参考网址
来源:BUGTRAQ
链接:http://www.securityfocus.com/archive/1/534161/100/0/threaded
来源:REDHAT
链接:http://rhn.redhat.com/errata/RHSA-2014-0252.HTML
来源:SECUNIA
链接:http://secunia.com/advisories/59183
来源:CONFIRM
链接:http://advisories.mageia.org/MGASA-2014-0110.HTML
来源:SECUNIA
链接:http://secunia.com/advisories/59185
来源:SECUNIA
链接:http://secunia.com/advisories/59184
来源:CONFIRM
链接:https://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm
来源:SECUNIA
链接:http://secunia.com/advisories/59187
来源:HP
链接:http://marc.info/?l=bugtraq&m=143136844732487&w=2
来源:SECUNIA
链接:http://secunia.com/advisories/57915
来源:JVNDB
链接:http://jvndb.jvn.jp/jvndb/JVNDB-2014-000017
来源:UBUNTU
链接:http://www.ubuntu.com/usn/USN-2130-1
来源:CONFIRM
链接:https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755
来源:CONFIRM
链接:http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-017/index.HTML
来源:CONFIRM
链接:https://www.vmware.com/security/advisories/VMSA-2014-0007.HTML
来源:REDHAT
链接:http://rhn.redhat.com/errata/RHSA-2014-0253.HTML
来源:CONFIRM
链接:https://bugzilla.redhat.com/show_bug.cgi?id=1062337
来源:SECUNIA
链接:http://secunia.com/advisories/59232
来源:SECUNIA
链接:http://secunia.com/advisories/59399
来源:FULLDISC
链接:http://seclists.org/fulldisclosure/2014/Dec/23
来源:SECUNIA
链接:http://secunia.com/advisories/59500
来源:MANDRIVA
链接:http://www.mandriva.com/security/advisories?name=MDVSA-2015:084
来源:CONFIRM
链接:http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.HTML
来源:SECUNIA
链接:http://secunia.com/advisories/58976
来源:CONFIRM
链接:http://www-01.ibm.com/support/docview.wss?uid=swg21676853
来源:CONFIRM
链接:http://www-01.ibm.com/support/docview.wss?uid=swg21676656
来源:CONFIRM
链接:https://www.vmware.com/security/advisories/VMSA-2014-0012.HTML
来源:CONFIRM
链接:http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.HTML
来源:CONFIRM
链接:http://www-01.ibm.com/support/docview.wss?uid=swg21676410
来源:CONFIRM
链接:https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917
来源:CONFIRM
链接:https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722
来源:MISC
链接:http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.HTML
来源:DEBIAN
链接:https://www.debian.org/security/2014/dsa-2856
来源:CONFIRM
链接:http://www-01.ibm.com/support/docview.wss?uid=swg21676092
来源:BUGTRAQ
链接:http://www.securityfocus.com/archive/1/532549/100/0/threaded
来源:CONFIRM
链接:http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.HTML
来源:CONFIRM
链接:http://www-01.ibm.com/support/docview.wss?uid=swg21676091
来源:CONFIRM
链接:http://tomcat.apache.org/security-8.HTML
来源:SECUNIA
链接:http://secunia.com/advisories/59041
来源:BID
链接:https://www.securityfocus.com/bid/65400
来源:SECUNIA
链接:http://secunia.com/advisories/58075
来源:CONFIRM
链接:http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.HTML
来源:CONFIRM
链接:http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.HTML
来源:SECUNIA
链接:http://secunia.com/advisories/59039
来源:CONFIRM
链接:http://www-01.ibm.com/support/docview.wss?uid=swg21676405
来源:CONFIRM
链接:http://www-01.ibm.com/support/docview.wss?uid=swg21669554
来源:CONFIRM
链接:http://www-01.ibm.com/support/docview.wss?uid=swg21676401
来源:CONFIRM
链接:http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-016/index.HTML
来源:MISC
链接:https://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.HTML
来源:CONFIRM
链接:http://www-01.ibm.com/support/docview.wss?uid=swg21676403
来源:CONFIRM
链接:http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.HTML
来源:CONFIRM
链接:http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.HTML
来源:MLIST
链接:http://mail-archives.apache.org/mod_mbox/commons-dev/201402.mbox/%[email protected]%3E
来源:CONFIRM
链接:http://www-01.ibm.com/support/docview.wss?uid=swg21675432
来源:CONFIRM
链接:http://www-01.ibm.com/support/docview.wss?uid=swg21677691
来源:CONFIRM
链接:http://svn.apache.org/r1565143
来源:CONFIRM
链接:http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.HTML
来源:REDHAT
链接:http://rhn.redhat.com/errata/RHSA-2014-0400.HTML
来源:CONFIRM
链接:http://www-01.ibm.com/support/docview.wss?uid=swg21681214
来源:SECUNIA
链接:http://secunia.com/advisories/59492
来源:SECUNIA
链接:http://secunia.com/advisories/60753
来源:SECUNIA
链接:http://secunia.com/advisories/59725
来源:CONFIRM
链接:https://www.vmware.com/security/advisories/VMSA-2014-0008.HTML
来源:CONFIRM
链接:http://tomcat.apache.org/security-7.HTML
来源:CONFIRM
链接:http://www-01.ibm.com/support/docview.wss?uid=swg21677724
来源:JVN
链接:http://jvn.jp/en/jp/JVN14876762/index.HTML
来源:CONFIRM
链接:http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-015/index.HTML
来源:SECUNIA
链接:http://secunia.com/advisories/60475
来源:www.ibm.com
链接:https://www.ibm.com/support/docview.wss?uid=ibm10967469
来源:www.ibm.com
链接:http://www.ibm.com/support/docview.wss?uid=ibm10872142
来源:www.auscert.org.au
链接:https://www.auscert.org.au/bulletins/75922
来源:www.ibm.com
链接:https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-identified-in-ibm-storediq/
来源:packetstormsecurity.com
链接:https://packetstormsecurity.com/files/163537/Gentoo-Linux-Security-Advisory-202107-39.HTML
来源:www-01.ibm.com
链接:https://www-01.ibm.com/support/docview.wss?uid=ibm10872142
来源:www.ibm.com
链接:https://www.ibm.com/support/pages/node/6514385
来源:www.auscert.org.au
链接:https://www.auscert.org.au/bulletins/ESB-2019.3165/
来源:www.cybersecurity-help.cz
链接:https://www.cybersecurity-help.cz/vdb/SB2021071906
受影响实体
- Apache Tomcat:8.0.1
- Apache Tomcat:8.0.0:Rc2
- Apache Tomcat:8.0.0:Rc5
- Apache Tomcat:8.0.0:Rc10
- Apache Tomcat:7.0.50
补丁
- commons-fileupload-1.3.1-bin
- apache-tomcat-8.0.3
- commons-fileupload-1.3.1-bin
- apache-tomcat-7.0.52
- struts-2.3.16.1-all
评论