CVE-2018-11248: Path Traversal

May 18, 2018 (updated June 20, 2018)

util/FileDownloadUtils.java in FileDownloader does not check an attachment name. If an attacker places ../ in the file name, the file can be stored in an unintended directory because of Directory Traversal.

References

github.com/lingochamp/FileDownloader/issues/1028
nvd.nist.gov/vuln/detail/CVE-2018-11248

Detect and mitigate CVE-2018-11248 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →