CVE Vulnerabilities

CVE-2024-43033

Improper Handling of Windows ::DATA Alternate Data Stream

Published: Aug 22, 2024 | Modified: Aug 22, 2024
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu

JPress through 5.1.1 on Windows has an arbitrary file upload vulnerability that could cause arbitrary code execution via ::$DATA to AttachmentController, such as a .jsp::$DATA file to io.jpress.web.commons.controller.AttachmentController#upload. NOTE: this is unrelated to the attack vector for CVE-2024-32358.

Weakness

The product does not properly prevent access to, or detect usage of, alternate data streams (ADS).

Potential Mitigations

References