Affected Product: Apache Pluto
Severity: Important Vendor: The Apache Software Foundation CVEID: CVE-2018-1306 DESCRIPTION: The PortletV3AnnotatedDemo Multipart Portlet war file code could allow a remote attacker to obtain sensitive information, caused by the failure to restrict path information provided during a file upload. An attacker could exploit this vulnerability to obtain configuration data and other sensitive information. Versions Affected: 3.0.0 Mitigation: * Uninstall the PortletV3AnnotatedDemo Multipart Portlet war file - or - * migrate to version 3.0.1 Credit: Che-Chun Kuo Mit freundlichen Grüßen, / Kind regards, Scott Nicklous WebSphere Portal Standardization Lead & Technology Consultant Specification Lead, JSR 362 Portlet Specification 3.0 IBM Commerce, Digital Experience Development Phone: +49-7031-16-4808 / E-Mail:scott.nickl...@de.ibm.com / Schoenaicher Str. 220, 71032 Boeblingen, Germany IBM Deutschland Research & Development GmbH / Vorsitzender des Aufsichtsrats: Martina Koederitz / Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 243294