Lucene search

GitHub Advisory DatabaseGHSA-WJP3-4XCQ-598P

HistoryMay 14, 2022 - 3:46 a.m.

Apache Sling JCR ContentLoader XmlReader Arbitrary File Load

2022-05-1403:46:15

CWE-200

GitHub Advisory Database

github.com

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

31.1%

JSON

The Apache Sling JCR ContentLoader 2.1.4 XmlReader used in the Sling JCR content loader module makes it possible to import arbitrary files in the content repository, including local files, causing potential information leaks. Users should upgrade to version 2.1.6 of the JCR ContentLoader

Affected configurations

Vulners

Node

org.apache.sling\Matchorg.apache.sling.jcr.contentloader

CPENameOperatorVersion
org.apache.sling:org.apache.sling.jcr.contentloaderlt2.1.6

CPE	Name	Operator	Version
	org.apache.sling:org.apache.sling.jcr.contentloader	lt	2.1.6

References

github.com/advisories/GHSA-wjp3-4xcq-598p

issues.apache.org/jira/browse/SLING-2512

lists.apache.org/thread/owd2xw86l19dh1f1zlhq41l7wlnd16sk

nvd.nist.gov/vuln/detail/CVE-2012-3353

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

31.1%

JSON

Related for GHSA-WJP3-4XCQ-598P