Incorrect Default Permissions in Apache Commons FileUpload

CVE-2013-0248 → View on GitHub ↗ View on CVE.org ↗ View on NVD ↗

Description

The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack.

Basic information

Type: reviewed
Severity: low
Advisory on GitHub: Open advisory ↗
Repository advisory: —
Source code: Not specified
Published (advisory): 2022-05-05 02:48:41 UTC
Updated: 2023-01-27 05:02:04 UTC
GitHub reviewed: 2022-07-08 18:59:32 UTC
NVD published: 2013-03-15 20:55:00 UTC

EPSS Score

Score	Percentile
0.07%	21.13%

CVSS Scores

No CVSS scores in this advisory.

Identifiers

Type	Value
GHSA	GHSA-vm69-474v-7q2w ↗
CVE	CVE-2013-0248 ↗

CWEs

CWE id	Name
CWE-276	Incorrect Default Permissions

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem	Package	Vulnerable range	First patched	Vulnerable functions
maven	commons-fileupload:commons-fileupload	>= 1.0, < 1.2.2	1.2.2	—

References

cvelogic Threat Intelligence