CVE-2019-18393: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

May 24, 2022 (updated November 22, 2022)

PluginServlet.java in Ignite Realtime Openfire through 4.4.2 does not ensure that retrieved files are located under the Openfire home directory, aka a directory traversal vulnerability.

References

github.com/advisories/GHSA-59h8-h34r-q9cv
github.com/igniterealtime/Openfire/commit/cb900749d4e836b32cc6e2cc41cda17f252b977d
github.com/igniterealtime/Openfire/pull/1498
nvd.nist.gov/vuln/detail/CVE-2019-18393
swarm.ptsecurity.com/openfire-admin-console/

Detect and mitigate CVE-2019-18393 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →