GHSA-h2rq-qhr7-53gm

Suggest an improvement
Source
https://github.com/advisories/GHSA-h2rq-qhr7-53gm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-h2rq-qhr7-53gm/GHSA-h2rq-qhr7-53gm.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-h2rq-qhr7-53gm
Aliases
Published
2024-02-06T12:30:30Z
Modified
2024-02-14T15:16:17.436120Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Apache Sling Servlets Resolver executes malicious code via path traversal
Details

Malicious code execution via path traversal in Apache Software Foundation Apache Sling Servlets Resolver.This issue affects all version of Apache Sling Servlets Resolver before 2.11.0. However, whether a system is vulnerable to this attack depends on the exact configuration of the system. If the system is vulnerable, a user with write access to the repository might be able to trick the Sling Servlet Resolver to load a previously uploaded script. 

Users are recommended to upgrade to version 2.11.0, which fixes this issue. It is recommended to upgrade, regardless of whether your system configuration currently allows this attack or not.

Database specific
{
    "nvd_published_at": "2024-02-06T10:15:08Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-06T18:24:31Z"
}
References

Affected packages

Maven / org.apache.sling:org.apache.sling.servlets.resolver

Package

Name
org.apache.sling:org.apache.sling.servlets.resolver
View open source insights on deps.dev
Purl
pkg:maven/org.apache.sling/org.apache.sling.servlets.resolver

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.11.0

Affected versions

2.*

2.0.4-incubator
2.0.6-incubator
2.0.8
2.1.0
2.1.2
2.2.0
2.2.2
2.2.4
2.3.0
2.3.2
2.3.4
2.3.6
2.3.8
2.4.0
2.4.2
2.4.4
2.4.6
2.4.8
2.4.10
2.4.12
2.4.14
2.4.20
2.4.22
2.4.24
2.5.2
2.5.4
2.5.6
2.5.8
2.6.0
2.6.4
2.7.0
2.7.2
2.7.4
2.7.6
2.7.8
2.7.10
2.7.12
2.7.14
2.8.0
2.8.2
2.9.0
2.9.2
2.9.4
2.9.6
2.9.8
2.9.10
2.9.12
2.9.14
2.10.0