In Eclipse RAP versions from 3.0.0 up to and including 3.25.0, Remote Code Execution is possible on Windows when using the FileUpload component.
The reason for this is a not completely secure extraction of the file name in the FileUploadProcessor.stripFileName(String name) method. As soon as this finds a / in the path, everything before it is removed, but potentially \ (backslashes) coming further back are kept.
For example, a file name such as /..\..\webapps\shell.war can be used to upload a file to a Tomcat server under Windows, which is then saved as ..\..\webapps\shell.war in its webapps directory and can then be executed.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: eclipse
Published: 2023-09-21T07:35:35.790Z
Updated: 2024-08-02T07:37:59.919Z
Reserved: 2023-09-04T16:06:47.588Z
Link: CVE-2023-4760
Vulnrichment
No data.
NVD
Status : Analyzed
Published: 2023-09-21T08:15:09.403
Modified: 2023-09-26T14:09:03.183
Link: CVE-2023-4760
Redhat
No data.