In Eclipse RAP versions from 3.0.0 up to and including 3.25.0, Remote Code Execution is possible on Windows when using the FileUpload component.
The reason for this is a not completely secure extraction of the file name in the FileUploadProcessor.stripFileName(String name) method. As soon as this finds a / in the path, everything before it is removed, but potentially \ (backslashes) coming further back are kept.
For example, a file name such as /....\webapps\shell.war can be used to upload a file to a Tomcat server under Windows, which is then saved as ....\webapps\shell.war in its webapps directory and can then be executed.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/4xxx/CVE-2023-4760.json",
"cna_assigner": "eclipse",
"cwe_ids": [
"CWE-22",
"CWE-23"
]
}{
"source": [
"AFFECTED_FIELD",
"CPE_RANGE"
],
"cpe": "cpe:2.3:a:eclipse:remote_application_platform:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "3.0.0"
},
{
"last_affected": "3.25.0"
}
]
}