PT-2019-15098 · Jfinal · Jfinal

Glassyamadeus

Published

2019-10-08

Updated

2022-05-25

CVE-2019-17352

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions JFinal cos before 2019-08-13 JFinal version 4.4

Description The issue allows bypassing the isSafeFile() function, enabling the upload of any file type. For instance, a .jsp file can be uploaded, stored, and potentially deleted immediately, but certain exceptions may prevent this deletion.

Recommendations For JFinal cos before 2019-08-13, consider updating to a version released after 2019-08-13 to address the issue. For JFinal version 4.4, consider updating to a version that incorporates the fix for the isSafeFile() function bypass vulnerability.

Exploit

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2019-17352

GHSA-279P-PC38-XX4P

Affected Products

Jfinal

PT-2019-15098 · Jfinal · Jfinal

CVE-2019-17352

Weakness Enumeration

Related Identifiers

Affected Products

References · 7