PT-2019-9301 · Swift · Swift Alliance Web Platform

Published

2019-07-05

Updated

2020-08-24

CVE-2018-16386

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions SWIFT Alliance Web Platform version 7.1.23

Description An issue in the SWIFT Alliance Web Platform allows log injection and arbitrary log filename creation via the PATH INFO to "swp/login/EJBRemoteService/". This is related to error log information in com.swift.ejbgwt.j2ee.client.EjBlnvocationException, which contains null@java:comp/env/ error messages.

Recommendations For SWIFT Alliance Web Platform version 7.1.23, consider restricting access to the "swp/login/EJBRemoteService/" endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the PATH INFO to inject logs until a patch is available.

Fix

Improper Encoding or Escaping of Output

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-116

Related Identifiers

CVE-2018-16386

Affected Products

Swift Alliance Web Platform

PT-2019-9301 · Swift · Swift Alliance Web Platform

CVE-2018-16386

Weakness Enumeration

Related Identifiers

Affected Products

References · 4