Issue2681

classification
Title: Arbitrary file retrieval
Type: security Severity:
Components: website Versions:
Milestone:
process
Status: pending Resolution: invalid
Dependencies: Superseder:
Assigned To: Nosy List: deadshot, fwierzbicki, jeff.allen
Priority: Keywords:

Created on 2018-05-08.08:07:36 by deadshot, last changed 2018-05-08.22:13:46 by jeff.allen.

Files
File name Uploaded Description Edit Remove
jython.zip deadshot, 2018-05-08.08:07:35 File contains POC sceen shots of hot to retrieve arbitrary files
Messages
msg11964 (view) Author: Jeff Allen (jeff.allen) Date: 2018-05-08.22:13:45
Thanks for your interest in the security of jython.org and for going to the trouble of assembling this report.

If there were a problem here, it would be with maven.org, not with jython.org. But I think there isn't.

In the page you've generated, these (relative) links don't actually go anywhere. However, a working page much like it is accessible from the search page: https://search.maven.org/#search%7Cga%7C1%7C Follow the BROWSE link to: https://repo1.maven.org/maven2/

These appear all to be files that maven.org is happy to give you.
History
Date User Action Args
2018-05-08 22:13:46jeff.allensetstatus: open -> pending
severity: major ->
versions: - Jython 2.7.4
nosy: + jeff.allen, fwierzbicki
title: Arbitraty file retreival -> Arbitrary file retrieval
messages: + msg11964
resolution: invalid
2018-05-08 08:07:36deadshotcreate