CVE-2013-2186

Priority
Medium
Description
The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat
JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat
JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files
via a NULL byte in a file name in a serialized instance.
References
Bugs
Assigned-to
mdeslaur
Package
Upstream:needs-triage
Ubuntu 10.04 LTS (Lucid Lynx):released (1.2.1-3ubuntu2.1)
Ubuntu 12.04 LTS (Precise Pangolin):released (1.2.2-1ubuntu0.12.04.1)
Ubuntu 12.10 (Quantal Quetzal):released (1.2.2-1ubuntu0.12.10.1)
Ubuntu 13.04 (Raring Ringtail):released (1.2.2-1ubuntu0.13.04.1)
Ubuntu 13.10 (Saucy Salamander):released (1.3-2ubuntu0.1)
Ubuntu 14.04 LTS (Trusty Tahr):released (1.3-2ubuntu1)
Patches:
Upstream:http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java?r1=1460343&r2=1507048
More Information

Valid XHTML 1.0 Strict

Updated: 2013-11-13 16:14:32 UTC (commit 7452)