CVE-2013-2186
Published: 28 October 2013
The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance.
Priority
Status
Package | Release | Status |
---|---|---|
libcommons-fileupload-java Launchpad, Ubuntu, Debian |
upstream |
Needs triage
|
lucid |
Released
(1.2.1-3ubuntu2.1)
|
|
precise |
Released
(1.2.2-1ubuntu0.12.04.1)
|
|
quantal |
Released
(1.2.2-1ubuntu0.12.10.1)
|
|
raring |
Released
(1.2.2-1ubuntu0.13.04.1)
|
|
saucy |
Released
(1.3-2ubuntu0.1)
|
|
trusty |
Released
(1.3-2ubuntu1)
|
|
Patches: upstream: http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java?r1=1460343&r2=1507048 |