[FOLIO-3636] mod-workflow postHandleEventsWithFile Path Traversal vulnerability - FOLIO Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: P2
Resolution: Done
Component/s: None
Labels:
- security
- security-reviewed

Template:

Standard Bug Write-Up Format
Development Team:
Other dev
RCA Group:
Implementation coding issue

Description

https://github.com/folio-org/mod-workflow/blob/13289327f0b4c14364387fb50e00d5f6b3571306/service/src/main/java/org/folio/rest/workflow/controller/EventController.java#L93

overwrites a file at a path location provided in the HTTP request.

How is the .jar file protected from being overwritten (Remote Code Execution)?

How are files from tenant a being protected from getting overwritten by tenant b?

Learn more about Relative Path Traversal at https://cwe.mitre.org/data/definitions/23.html

TestRail: Results

Attachments

Activity

People

Assignee:: Jeremy Huff

Reporter:: Julian Ladisch

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 09/Nov/22 7:59 AM

Updated:: 27/Feb/23 3:31 PM

Resolved:: 27/Feb/23 3:31 PM

TestRail: Runs

TestRail: Cases