CVE-2013-2186

CWE-20Improper Input ValidationCWE-626CWE-502Deserialization of Untrusted Data12 documents9 sources
Severity
7.5HIGH
EPSS
87.1%
top 0.56%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Redhat OpenshiftRedhat Jboss Enterprise Brms PlatformRedhat Jboss Enterprise Portal Platform+2 more
Timeline
PublishedOct 28
Latest updateMay 17

Description

The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages7 packages

NVDredhat/jboss_enterprise_portal_platform4.3.0, 5.2.2, 6.0.0+2
Debianlibcommons-fileupload-java< 1.3-2.1+3

🔴Vulnerability Details

5
GHSA
Deserialization of Untrusted Data in Apache Tomcat2022-05-17
GHSA
Arbitrary file write in Apache Commons Fileupload2022-05-14
OSV
Arbitrary file write in Apache Commons Fileupload2022-05-14
OSV
CVE-2013-2186: The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 52013-10-28
CVEList
CVE-2013-2186: The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 52013-10-28

📋Vendor Advisories

5
Jenkins
Jenkins Security Advisory 2014-10-012014-10-01
Ubuntu
Apache Commons FileUpload vulnerability2013-11-13
Red Hat
commons-fileupload: Arbitrary file upload via deserialization2013-10-15
Red Hat
Tomcat/JBossWeb: Arbitrary file upload via deserialization2013-09-03
Debian
CVE-2013-2186: libcommons-fileupload-java - The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BR...2013

💬Community

1
Bugzilla
CVE-2013-2186 Apache commons-fileupload: Arbitrary file upload via deserialization2013-06-16
CVE-2013-2186 (HIGH CVSS 7.5) | The DiskFileItem class in Apache Co | cvebase.io