CVE-2016-2164: Infoleak
First published: Mon Apr 11 2016(Updated: )
The (1) FileService.importFileByInternalUserId and (2) FileService.importFile SOAP API methods in Apache OpenMeetings before 3.1.1 improperly use the Java URL class without checking the specified protocol handler, which allows remote attackers to read arbitrary files by attempting to upload a file.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache OpenMeetings | <=3.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2016-2164?
CVE-2016-2164 has been assigned a medium severity level due to its potential for remote file reading.
How do I fix CVE-2016-2164?
To fix CVE-2016-2164, upgrade Apache OpenMeetings to version 3.1.1 or later.
What resources are affected by CVE-2016-2164?
The vulnerability affects all versions of Apache OpenMeetings prior to 3.1.1.
How does CVE-2016-2164 work?
CVE-2016-2164 allows remote attackers to exploit improper handling of the Java URL class to read arbitrary files.
Is CVE-2016-2164 easy to exploit?
Yes, CVE-2016-2164 is considered relatively easy to exploit due to the improper validation in the API methods.
- collector/nvd-index
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/last-modified-date
- agent/severity
- agent/remedy
- agent/author
- agent/first-publish-date
- agent/tags
- agent/description
- agent/event
- agent/source
- vendor/apache
- canonical/apache openmeetings
- version/apache openmeetings/3.1.0