CVE-2016-4314

Name of the Vulnerable Software and Affected Versions WSO2 Carbon version 4.4.5

Description A directory traversal issue exists in the LogViewer Admin Service, allowing remote authenticated administrators to read arbitrary files. This is achieved by using a .. (dot dot) in the logFile parameter to the "downloadgz-ajaxprocessor.jsp" endpoint.

Recommendations For WSO2 Carbon version 4.4.5, consider restricting access to the LogViewer Admin Service until a patch is available. As a temporary workaround, avoid using the logFile parameter in the downloadgz-ajaxprocessor.jsp endpoint to minimize the risk of exploitation.