Vulnerability Details : CVE-2016-2164
The (1) FileService.importFileByInternalUserId and (2) FileService.importFile SOAP API methods in Apache OpenMeetings before 3.1.1 improperly use the Java URL class without checking the specified protocol handler, which allows remote attackers to read arbitrary files by attempting to upload a file.
Products affected by CVE-2016-2164
- cpe:2.3:a:apache:openmeetings:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-2164
0.81%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 72 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-2164
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2016-2164
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-2164
-
https://www.apache.org/dist/openmeetings/3.1.1/CHANGELOG
404 Not Found
-
http://www.securityfocus.com/archive/1/537887/100/0/threaded
SecurityFocus
-
http://packetstormsecurity.com/files/136434/Apache-OpenMeetings-3.0.7-Arbitary-File-Read.html
Apache OpenMeetings 3.0.7 Arbitary File Read ≈ Packet Storm
-
http://openmeetings.apache.org/security.html
Apache OpenMeetings Project – Security VulnerabilitiesPatch;Vendor Advisory
Jump to