NVD Vulnerability Detail

CVE-2018-20437

Summary	An issue was discovered in the fileDownload function in the CommonController class in FEBS-Shiro before 2018-11-05. An attacker can download a file via a request of the form /common/download?filename=1.jsp&delete=false. NOTE: the software maintainer disputes the significance of this report because the product uses a JAR archive for deployment, and this contains application.yml with configuration data
Publication Date	Dec. 26, 2018, 12:29 a.m.
Registration Date	March 1, 2021, 7:17 p.m.
Last Update	Nov. 21, 2024, 1:01 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:mrbird:febs-shiro::::::::					2018.11.05

Related information, measures and tools

No	URL	タグ
1	https://github.com/wuyouzhuguli/FEBS-Shiro/commit/9a753215b0969a5d5b5bfe8c68585339fee96260	Patch Third Party Advisory
2	https://github.com/wuyouzhuguli/FEBS-Shiro/commit/9a753215b0969a5d5b5bfe8c68585339fee96260	Patch Third Party Advisory
3	https://github.com/wuyouzhuguli/FEBS-Shiro/commit/a9706b1b3c96bacece24886429b4423c3a467acd	Patch Third Party Advisory
4	https://github.com/wuyouzhuguli/FEBS-Shiro/commit/a9706b1b3c96bacece24886429b4423c3a467acd	Patch Third Party Advisory
5	https://github.com/wuyouzhuguli/FEBS-Shiro/issues/40	Exploit Third Party Advisory
6	https://github.com/wuyouzhuguli/FEBS-Shiro/issues/40	Exploit Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-22	パス・トラバーサル	https://cwe.mitre.org/data/definitions/22.html

JVN Vulnerability Information

FEBS-Shiro におけるパストラバーサルの脆弱性

Title	FEBS-Shiro におけるパストラバーサルの脆弱性
Summary	未確定本件は、脆弱性として確定していません。 FEBS-Shiro には、パストラバーサルの脆弱性が存在します。ベンダは、本脆弱性に対して異議を唱えています。詳細については、以下の NVD の Current Description を確認してください。 https://nvd.nist.gov/vuln/detail/CVE-2018-20437
Possible impacts	情報を取得される可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	Nov. 5, 2018, midnight
Registration Date	March 26, 2019, 3:11 p.m.
Last Update	March 26, 2019, 3:11 p.m.

Affected System

mrbird project

febs shiro 2018/11/05 より前

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2018-20437	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20437
2	CVE-2018-20437	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20437
National Vulnerability Database (NVD)
3	CVE-2018-20437	https://nvd.nist.gov/vuln/detail/CVE-2018-20437
4	CVE-2018-20437	https://nvd.nist.gov/vuln/detail/CVE-2018-20437

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-22	https://jvndb.jvn.jp/ja/cwe/CWE-22.html
2	CWE-22	https://jvndb.jvn.jp/ja/cwe/CWE-22.html

ベンダー情報

No	Name	URL
GitHub
1	committed Nov 5, 2018	https://github.com/wuyouzhuguli/FEBS-Shiro/commit/9a753215b0969a5d5b5bfe8c68585339fee96260
2	committed Nov 5, 2018	https://github.com/wuyouzhuguli/FEBS-Shiro/commit/9a753215b0969a5d5b5bfe8c68585339fee96260
3	committed Nov 6, 2018	https://github.com/wuyouzhuguli/FEBS-Shiro/commit/a9706b1b3c96bacece24886429b4423c3a467acd
4	committed Nov 6, 2018	https://github.com/wuyouzhuguli/FEBS-Shiro/commit/a9706b1b3c96bacece24886429b4423c3a467acd

Change Log

No	Changed Details	Date of change
1	[2019年03月26日] 掲載	March 26, 2019, 3:11 p.m.