CVE-2016-0709

Name of the Vulnerable Software and Affected Versions Apache Jetspeed versions prior to 2.3.1

Description The issue allows remote authenticated administrators to write to arbitrary files and consequently execute arbitrary code via a .. (dot dot) in a ZIP archive entry. This can be achieved by including a ../../webapps/x.jsp entry in the ZIP archive.

Recommendations For versions prior to 2.3.1, update to version 2.3.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the Import/Export function in the Portal Site Manager to minimize the risk of exploitation.