CVE-2014-8114: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

May 14, 2022 (updated August 16, 2023)

The UberFire Framework 0.3.x does not properly restrict paths, which allows remote attackers to (1) execute arbitrary code by uploading crafted content to FileUploadServlet or (2) read arbitrary files via vectors involving FileDownloadServlet.

References

rhn.redhat.com/errata/RHSA-2015-0234.html
rhn.redhat.com/errata/RHSA-2015-0235.html
github.com/advisories/GHSA-6h58-c7r7-g2hw
github.com/uberfire/uberfire/commit/21ec50eb15
nvd.nist.gov/vuln/detail/CVE-2014-8114
web.archive.org/web/20200227080813/http://www.securityfocus.com/bid/88199

Code Behaviors & Features

Detect and mitigate CVE-2014-8114 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →