CVE-2013-2186: Arbitrary file upload via deserialization

October 28, 2013 (updated January 8, 2018)

The DiskFileItem class in this package allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance.

References

access.redhat.com/security/cve/CVE-2013-2186
bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2186

Detect and mitigate CVE-2013-2186 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →