CVE-2014-8114

{"id": "CVE-2014-8114", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2015-02-20T16:59:02.430", "references": [{"url": "http://rhn.redhat.com/errata/RHSA-2015-0234.html", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "http://rhn.redhat.com/errata/RHSA-2015-0235.html", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "http://www.securityfocus.com/bid/88199", "source": "secalert@redhat.com"}, {"url": "https://github.com/uberfire/uberfire/commit/21ec50eb15", "source": "secalert@redhat.com"}, {"url": "http://rhn.redhat.com/errata/RHSA-2015-0234.html", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://rhn.redhat.com/errata/RHSA-2015-0235.html", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securityfocus.com/bid/88199", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/uberfire/uberfire/commit/21ec50eb15", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-264"}]}], "descriptions": [{"lang": "en", "value": "The UberFire Framework 0.3.x does not properly restrict paths, which allows remote attackers to (1) execute arbitrary code by uploading crafted content to FileUploadServlet or (2) read arbitrary files via vectors involving FileDownloadServlet."}, {"lang": "es", "value": "El Framework UberFire 0.3.x no restringe rutas correctamente, lo que permite a atacantes remotos (1) ejecutar c\u00f3digo arbitrario mediante la subida de un contenido manipulado en FileUploadServlet o (2) leer ficheros arbitrarios a trav\u00e9s de vectores que involucran FileDownloadServlet."}], "lastModified": "2025-04-12T10:46:40.837", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:uberfire:0.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D77C7E1E-DEB1-4274-A24B-E6055DDA7B28"}, {"criteria": "cpe:2.3:a:redhat:uberfire:0.3.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "93450F9F-B493-43B4-AA0B-4CFC560727A4"}, {"criteria": "cpe:2.3:a:redhat:uberfire:0.3.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3689A871-C3E5-47D5-8A57-45B6C3643704"}, {"criteria": "cpe:2.3:a:redhat:uberfire:0.3.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "583BBDC5-EFB4-482C-94EC-E529AE938091"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}