Upstream information

CVE-2013-2186 at MITRE

Description

The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having important severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 7.5
Vector AV:N/AC:L/Au:N/C:P/I:P/A:P
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial
SUSE Bugzilla entry: 846174 [RESOLVED / FIXED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Linux Enterprise Server 11 SP2
  • jakarta-commons-fileupload >= 1.1.1-1.35.1
  • jakarta-commons-fileupload-javadoc >= 1.1.1-1.35.1
Patchnames:
slessp2-jakarta-commons-fileupload
SUSE Linux Enterprise Server 11 SP3
  • jakarta-commons-fileupload >= 1.1.1-1.35.1
  • jakarta-commons-fileupload-javadoc >= 1.1.1-1.35.1
Patchnames:
slessp3-jakarta-commons-fileupload
SUSE Linux Enterprise Server 11 SP4
  • jakarta-commons-fileupload >= 1.1.1-1.37.1
  • jakarta-commons-fileupload-javadoc >= 1.1.1-1.37.1
Patchnames:
SUSE Linux Enterprise Server 11 SP4 GA jakarta-commons-fileupload
SUSE Linux Enterprise Server 12
  • jakarta-commons-fileupload >= 1.1.1-120.238
  • jakarta-commons-fileupload-javadoc >= 1.1.1-120.238
Patchnames:
SUSE Linux Enterprise Server 12 GA jakarta-commons-fileupload
SUSE Linux Enterprise Server 12 SP1
  • jakarta-commons-fileupload >= 1.1.1-120.238
  • jakarta-commons-fileupload-javadoc >= 1.1.1-120.238
Patchnames:
SUSE Linux Enterprise Server 12 SP1 GA jakarta-commons-fileupload
SUSE Linux Enterprise Server 12 SP2
  • jakarta-commons-fileupload >= 1.1.1-120.238
  • jakarta-commons-fileupload-javadoc >= 1.1.1-120.238
Patchnames:
SUSE Linux Enterprise Server 12 SP2 GA jakarta-commons-fileupload
SUSE Linux Enterprise Server 12 SP3
  • jakarta-commons-fileupload >= 1.1.1-120.238
  • jakarta-commons-fileupload-javadoc >= 1.1.1-120.238
Patchnames:
SUSE Linux Enterprise Server 12 SP3 GA jakarta-commons-fileupload
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
  • jakarta-commons-fileupload >= 1.1.1-120.113
  • jakarta-commons-fileupload-javadoc >= 1.1.1-120.113
Patchnames:
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 GA jakarta-commons-fileupload
SUSE Linux Enterprise Server for VMWare 11 SP2
  • jakarta-commons-fileupload >= 1.1.1-1.35.1
  • jakarta-commons-fileupload-javadoc >= 1.1.1-1.35.1
Patchnames:
slessp2-jakarta-commons-fileupload
SUSE Linux Enterprise Server for VMWare 11 SP3
  • jakarta-commons-fileupload >= 1.1.1-1.35.1
  • jakarta-commons-fileupload-javadoc >= 1.1.1-1.35.1
Patchnames:
slessp3-jakarta-commons-fileupload
SUSE Linux Enterprise Server 11 SP3
SUSE Linux Enterprise Server 11 SP3 for VMware
  • jakarta-commons-fileupload >= 1.1.1-1.35.1
  • jakarta-commons-fileupload-javadoc >= 1.1.1-1.35.1
Builds
SAT Patch Nr: 8446
SUSE Linux Enterprise Server 11 SP2
SUSE Linux Enterprise Server 11 SP2 for VMware
  • jakarta-commons-fileupload >= 1.1.1-1.35.1
  • jakarta-commons-fileupload-javadoc >= 1.1.1-1.35.1
Builds
SAT Patch Nr: 8445
SUSE Manager 1.2 for SLE 11 SP1
  • jakarta-commons-fileupload >= 1.1.1-1.35.1
Builds
SAT Patch Nr: 8444
openSUSE 12.3
  • jakarta-commons-fileupload >= 1.1.1-114.4.1
  • jakarta-commons-fileupload-javadoc >= 1.1.1-114.4.1
Patchnames:
openSUSE-2013-786
openSUSE Leap 42.1
  • jakarta-commons-fileupload >= 1.1.1-1.3
Patchnames:
openSUSE Leap 42.1 GA jakarta-commons-fileupload
openSUSE Leap 42.2
  • jakarta-commons-fileupload >= 1.1.1-2.37
Patchnames:
openSUSE Leap 42.2 GA jakarta-commons-fileupload
openSUSE Leap 42.3
  • jakarta-commons-fileupload >= 1.1.1-4.25
Patchnames:
openSUSE Leap 42.3 GA jakarta-commons-fileupload
openSUSE Tumbleweed
  • jakarta-commons-fileupload >= 1.1.1-125.11
  • jakarta-commons-fileupload-javadoc >= 1.1.1-125.11
Patchnames:
openSUSE Tumbleweed GA jakarta-commons-fileupload


Status of this issue by product and package

Product(s) Source package State
SUSE Linux Enterprise Server 10 SP4 LTSS jakarta-commons-fileupload Affected
SUSE Linux Enterprise Server 11 SP1 jakarta-commons-fileupload Released
SUSE Linux Enterprise Server 11 SP1 LTSS jakarta-commons-fileupload Released
SUSE Linux Enterprise Server 11 SP2 jakarta-commons-fileupload Released
SUSE Linux Enterprise Server 11 SP2 LTSS jakarta-commons-fileupload Released
SUSE Linux Enterprise Server 11 SP3 jakarta-commons-fileupload Released
SUSE Linux Enterprise Server for SAP AIO 11 SP1 jakarta-commons-fileupload Released
SUSE Manager Server 1.2 jakarta-commons-fileupload Released