[OFBIZ-12558] Possible authenticated attack related to Tomcat CVE-2020-1938 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Sub-task
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 18.12.05, Upcoming Branch
Fix Version/s: 18.12.06, 22.01.01
Component/s: None
Labels:
None

Sprint:
Bug Crush Event - 21/2/2015

Description

Lion Tree <liontree0110@gmail.com> has reported us that "CVE-2020-1938 is not fully fixed".

Though it was fixed by ~~OFBIZ-11407~~, it still possible for an authenticated user to upload a webshell included in an image using one of the OFBiz upload possibilities. That of course is not new and already covered by ~~OFBIZ-12080~~ "Secure the uploads", but was still incomplete.

So this Jira covers 2 points:

Disable bypass of Tomcat due to setting in framework/catalina/ofbiz-component.xml
Enforce upload prevention of webshells, specifically but not only those included in images

Attachments

Activity

People

Assignee:: Jacques Le Roux

Reporter:: Jacques Le Roux

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 04/Feb/22 10:12

Updated:: 10/Feb/22 17:28

Resolved:: 10/Feb/22 13:23