BUG - External Control of File Name or Path - FileTransform.java
Bug #1406411 reported by
David Camilo
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| simple-xml (Ubuntu) |
Expired
|
Undecided
|
Unassigned | ||
Bug Description
Good Day,
We are currently using simple-xml-2.6.2 and the veracode analysis found this bug:
Description
This call contains a path manipulation flaw. The argument to the function is a filename constructed using user-supplied
input. If an attacker is allowed to specify all or part of the filename, it may be possible to gain unauthorized access to
files on the server, including those outside the webroot, that would be normally be inaccessible to end users. The level
of exposure depends on the effectiveness of input validation routines, if any.
This bug is in FileTransform.java (line 57), Is this error is a false positive?
Thanks.
Revision history for this message
| Seth Arnold (seth-arnold) wrote | #1 |
| Changed in simple-xml (Ubuntu): | |
| status: | New → Incomplete |
| information type: | Private Security → Public Security |
Revision history for this message
| Seth Arnold (seth-arnold) wrote | #2 |
Revision history for this message
| David Camilo (david-espitia) wrote | #3 |
Revision history for this message
| Launchpad Janitor (janitor) wrote | #4 |
| Changed in simple-xml (Ubuntu): | |
| status: | Incomplete → Expired |
To post a comment you must log in.
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/