CVE-2023-4760

Remote Code Execution in Eclipse RAP on Windows

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In Eclipse RAP versions from 3.0.0 up to and including 3.25.0, Remote Code Execution is possible on Windows when using the FileUpload component.

The reason for this is a not completely secure extraction of the file name in the FileUploadProcessor.stripFileName(String name) method. As soon as this finds a / in the path, everything before it is removed, but potentially \ (backslashes) coming further back are kept.

For example, a file name such as /..\..\webapps\shell.war can be used to upload a file to a Tomcat server under Windows, which is then saved as ..\..\webapps\shell.war in its webapps directory and can then be executed.

En las versiones de Eclipse RAP desde 3.0.0 hasta 3.25.0 incluida, la Ejecución Remota de Código es posible en Windows cuando se utiliza el componente FileUpload. La razón de esto es una extracción no completamente segura del nombre del archivo en el método FileUploadProcessor.stripFileName(String name). Tan pronto como esto encuentre una/en la ruta, todo lo anterior se elimina, pero potencialmente \ (barras invertidas) que vienen más atrás se mantienen. Por ejemplo, se puede utilizar un nombre de archivo como /..\..\webapps\shell.war para cargar un archivo en un servidor Tomcat en Windows, que luego se guarda como ..\..\webapps\shell.war. en su directorio webapps y luego se puede ejecutar.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-09-04 CVE Reserved
2023-09-21 CVE Published
2024-08-02 CVE Updated
2024-08-02 First Exploit
2024-08-21 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-23: Relative Path Traversal

CAPEC

CAPEC-154: Resource Location Spoofing

References (2)

URL	Tag	Source

URL	Date	SRC
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/160	2024-08-02

URL	Date	SRC
https://github.com/eclipse-rap/org.eclipse.rap/pull/141	2023-09-26

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Eclipse Search vendor "Eclipse"		Remote Application Platform Search vendor "Eclipse" for product "Remote Application Platform"				>= 3.0.0 <= 3.25.0 Search vendor "Eclipse" for product "Remote Application Platform" and version " >= 3.0.0 <= 3.25.0"		-		Affected