Vulnerability-Lookup

CNVD-2018-04628

Vulnerability from cnvd - Published: 2018-03-08

Title

Apache ODE覆盖漏洞

Description

Apache ODE是美国阿帕奇（Apache）软件基金会的一款业务流程构建引擎，它具有与Web服务通信、发送和接收消息，处理数据操作和错误恢复功能。 Apache ODE中存在安全漏洞。攻击者可利用该漏洞写入、覆盖或删除文件。

Severity

高

Patch Name

Apache ODE覆盖漏洞的补丁

Patch Description

Apache ODE是美国阿帕奇（Apache）软件基金会的一款业务流程构建引擎，它具有与Web服务通信、发送和接收消息，处理数据操作和错误恢复功能。 Apache ODE中存在安全漏洞。攻击者可利用该漏洞写入、覆盖或删除文件。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： http://mail-archives.apache.org/mod_mbox/www-announce/200908.mbox/%3Cfbdc6a970908072141w20a7a9d9ka1f896ad8073dffb%40mail.gmail.com%3E

Reference

http://mail-archives.apache.org/mod_mbox/www-announce/200908.mbox/%3Cfbdc6a970908072141w20a7a9d9ka1f896ad8073dffb%40mail.gmail.com%3E https://lists.apache.org/thread.html/ce416ddfba1a87f4b8e2d8125f1c3b45d1f0b350af29a4d0405e213b@%3Cuser.ode.apache.org%3E

Impacted products

Name
Apache ODE <1.3.3

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-1316"
    }
  },
  "description": "Apache ODE\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u4e1a\u52a1\u6d41\u7a0b\u6784\u5efa\u5f15\u64ce\uff0c\u5b83\u5177\u6709\u4e0eWeb\u670d\u52a1\u901a\u4fe1\u3001\u53d1\u9001\u548c\u63a5\u6536\u6d88\u606f\uff0c\u5904\u7406\u6570\u636e\u64cd\u4f5c\u548c\u9519\u8bef\u6062\u590d\u529f\u80fd\u3002\r\n\r\nApache ODE\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5199\u5165\u3001\u8986\u76d6\u6216\u5220\u9664\u6587\u4ef6\u3002",
  "discovererName": "unknown",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttp://mail-archives.apache.org/mod_mbox/www-announce/200908.mbox/%3Cfbdc6a970908072141w20a7a9d9ka1f896ad8073dffb%40mail.gmail.com%3E",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-04628",
  "openTime": "2018-03-08",
  "patchDescription": "Apache ODE\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u4e1a\u52a1\u6d41\u7a0b\u6784\u5efa\u5f15\u64ce\uff0c\u5b83\u5177\u6709\u4e0eWeb\u670d\u52a1\u901a\u4fe1\u3001\u53d1\u9001\u548c\u63a5\u6536\u6d88\u606f\uff0c\u5904\u7406\u6570\u636e\u64cd\u4f5c\u548c\u9519\u8bef\u6062\u590d\u529f\u80fd\u3002\r\n\r\nApache ODE\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5199\u5165\u3001\u8986\u76d6\u6216\u5220\u9664\u6587\u4ef6\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache ODE\u8986\u76d6\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Apache ODE \u003c1.3.3"
  },
  "referenceLink": "http://mail-archives.apache.org/mod_mbox/www-announce/200908.mbox/%3Cfbdc6a970908072141w20a7a9d9ka1f896ad8073dffb%40mail.gmail.com%3E\r\nhttps://lists.apache.org/thread.html/ce416ddfba1a87f4b8e2d8125f1c3b45d1f0b350af29a4d0405e213b@%3Cuser.ode.apache.org%3E",
  "serverity": "\u9ad8",
  "submitTime": "2018-03-07",
  "title": "Apache ODE\u8986\u76d6\u6f0f\u6d1e"
}

CVE-2018-1316 (GCVE-0-2018-1316)

Vulnerability from cvelistv5 – Published: 2018-03-05 14:00 – Updated: 2024-09-17 03:07

Summary

The ODE process deployment web service was sensible to deployment messages with forged names. Using a path for the name was allowing directory traversal, resulting in the potential writing of files under unwanted locations, the overwriting of existing files or their deletion. This issue was addressed in Apache ODE 1.3.3 which was released in 2009, however the incorrect name CVE-2008-2370 was used on the advisory by mistake.

Severity

No CVSS data available.

CWE

Directory Traversal

Assigner

apache

References

2 references

URL	Tags
https://lists.apache.org/thread.html/ce416ddfba1a…	mailing-listx_refsource_MLIST
http://mail-archives.apache.org/mod_mbox/www-anno…	mailing-listx_refsource_MLIST

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache ODE	Affected: prior to 1.3.3

Date Public

2009-08-08 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T03:59:38.395Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "[user] 20180304 CVE-2018-1316 used to cover issue incorrectly used CVE-2008-2370 for ODE 1.3.3",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/ce416ddfba1a87f4b8e2d8125f1c3b45d1f0b350af29a4d0405e213b%40%3Cuser.ode.apache.org%3E"
          },
          {
            "name": "[www-announce] 20090808 Apache ODE 1.3.3",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://mail-archives.apache.org/mod_mbox/www-announce/200908.mbox/%3Cfbdc6a970908072141w20a7a9d9ka1f896ad8073dffb%40mail.gmail.com%3E"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache ODE",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "prior to 1.3.3"
            }
          ]
        }
      ],
      "datePublic": "2009-08-08T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "The ODE process deployment web service was sensible to deployment messages with forged names. Using a path for the name was allowing directory traversal, resulting in the potential writing of files under unwanted locations, the overwriting of existing files or their deletion. This issue was addressed in Apache ODE 1.3.3 which was released in 2009, however the incorrect name CVE-2008-2370 was used on the advisory by mistake."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Directory Traversal",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-03-05T13:57:01.000Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "name": "[user] 20180304 CVE-2018-1316 used to cover issue incorrectly used CVE-2008-2370 for ODE 1.3.3",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/ce416ddfba1a87f4b8e2d8125f1c3b45d1f0b350af29a4d0405e213b%40%3Cuser.ode.apache.org%3E"
        },
        {
          "name": "[www-announce] 20090808 Apache ODE 1.3.3",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://mail-archives.apache.org/mod_mbox/www-announce/200908.mbox/%3Cfbdc6a970908072141w20a7a9d9ka1f896ad8073dffb%40mail.gmail.com%3E"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "DATE_PUBLIC": "2009-08-08T00:00:00",
          "ID": "CVE-2018-1316",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache ODE",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "prior to 1.3.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The ODE process deployment web service was sensible to deployment messages with forged names. Using a path for the name was allowing directory traversal, resulting in the potential writing of files under unwanted locations, the overwriting of existing files or their deletion. This issue was addressed in Apache ODE 1.3.3 which was released in 2009, however the incorrect name CVE-2008-2370 was used on the advisory by mistake."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Directory Traversal"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[user] 20180304 CVE-2018-1316 used to cover issue incorrectly used CVE-2008-2370 for ODE 1.3.3",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/ce416ddfba1a87f4b8e2d8125f1c3b45d1f0b350af29a4d0405e213b@%3Cuser.ode.apache.org%3E"
            },
            {
              "name": "[www-announce] 20090808 Apache ODE 1.3.3",
              "refsource": "MLIST",
              "url": "http://mail-archives.apache.org/mod_mbox/www-announce/200908.mbox/%3Cfbdc6a970908072141w20a7a9d9ka1f896ad8073dffb%40mail.gmail.com%3E"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2018-1316",
    "datePublished": "2018-03-05T14:00:00.000Z",
    "dateReserved": "2017-12-07T00:00:00.000Z",
    "dateUpdated": "2024-09-17T03:07:11.345Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2018-04628

CVE-2018-1316 (GCVE-0-2018-1316)

Tags

Sightings

Nomenclature