[ 
https://issues.apache.org/jira/browse/OFBIZ-12558?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux updated OFBIZ-12558:
------------------------------------
    Summary: Possible authenticated attack related to Tomcat CVE-2020-1938  
(was: Possible authentified attack related to Tomcat CVE-2020-1938)

> Possible authenticated attack related to Tomcat CVE-2020-1938
> -------------------------------------------------------------
>
>                 Key: OFBIZ-12558
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12558
>             Project: OFBiz
>          Issue Type: Bug
>    Affects Versions: 18.12.05, Upcoming Branch
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>
> Lion Tree <liontree0...@gmail.com> has reported us that "CVE-2020-1938 is not 
> fully fixed". 
> Though it was fixed by OFBIZ-11407, it still possible for an authentified 
> user to upload a webshell included in an image using one of the OFBiz upload 
> possibilities. That of course is not new and already covered by OFBIZ-12080 
> "Secure the uploads", but was still incomplete.
> So this Jira covers 2 points:
> # Disable bypass of Tomcat due to setting in 
> framework/catalina/ofbiz-component.xml
> # Enforce upload prevention of webshells, specifically but not only those 
> included in images 



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to