CVE-2016-2164Sensitive Information Exposure in Apache Openmeetings

CWE-200Sensitive Information Exposure4 documents4 sources
Severity
7.5HIGHNVD
EPSS
1.2%
top 20.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Openmeetings
Timeline
PublishedApr 11
Latest updateMay 14

Description

The (1) FileService.importFileByInternalUserId and (2) FileService.importFile SOAP API methods in Apache OpenMeetings before 3.1.1 improperly use the Java URL class without checking the specified protocol handler, which allows remote attackers to read arbitrary files by attempting to upload a file.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

Patches

Patch: openmeetings.apache.orgPatch: openmeetings.apache.org

🔴Vulnerability Details

3
GHSA
Apache OpenMeetings allows remote attackers to read arbitrary files by attempting to upload a file2022-05-14
OSV
Apache OpenMeetings allows remote attackers to read arbitrary files by attempting to upload a file2022-05-14
CVEList
CVE-2016-2164: The (1) FileService2016-04-11
CVE-2016-2164 — Sensitive Information Exposure | cvebase