CVE-2018-16386

Name of the Vulnerable Software and Affected Versions SWIFT Alliance Web Platform version 7.1.23

Description An issue in the SWIFT Alliance Web Platform allows log injection and arbitrary log filename creation via the PATH INFO to "swp/login/EJBRemoteService/". This is related to error log information in com.swift.ejbgwt.j2ee.client.EjBlnvocationException, which contains null@java:comp/env/ error messages.

Recommendations For SWIFT Alliance Web Platform version 7.1.23, consider restricting access to the "swp/login/EJBRemoteService/" endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the PATH INFO to inject logs until a patch is available.