CVE-2014-8114

Impact:
Important
Public Date:
2015-02-17
CWE:
CWE-22
Bugzilla:
1169544: CVE-2014-8114 UberFire: Information disclosure and RCE via insecure file upload/download servlets
It was discovered that the default implementation of FileUploadServlet and FileDownloadServlet provided by the UberFire Framework did not restrict the paths to which a file could be written or read from. In applications using this framework and exposing these servlets, a remote attacker could gain access to information stored in files accessible to the application container process, or execute arbitrary code by uploading malicious content.

Find out more about CVE-2014-8114 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

Base Score 6
Base Metrics AV:N/AC:M/Au:S/C:P/I:P/A:P
Access Vector Network
Access Complexity Medium
Authentication Single
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss BPMS 6.0 RHSA-2015:0234 2015-02-17
Red Hat JBoss BRMS 6.0 RHSA-2015:0235 2015-02-17

Acknowledgements

Red Hat would like to thank David Jorm for reporting this issue.

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact Red Hat Product Security.

Last Modified
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.