-
Sub-task
-
Resolution: Done
-
Medium
-
None
-
None
-
None
-
None
Explanation
The Apache httpcomponents component is vulnerable to Directory Traversal. The normalizePath() function in the URIBuilder class allows directory traversal characters such as ../. An attacker can exploit this vulnerability by sending a specially crafted request containing this sequence in the URL path, allowing the attacker to traverse beyond the allowed directory and retrieve the contents of arbitrary files from the server, leading to information disclosure.
Detection
The application is vulnerable by using this component.
Recommendation
We recommend upgrading to a version of this component that is not vulnerable to this specific issue.
This jar comes from ODL
[INFO] +- org.opendaylight.controller:opendaylight-karaf-empty:zip:1.8.3-Carbon:compile
[INFO] | +- org.apache.karaf.features:framework:kar:3.0.8:compile
[INFO] | | +- org.apache.karaf:org.apache.karaf.main:jar:3.0.8:runtime
[INFO] | | | - org.apache.karaf:org.apache.karaf.util:jar:3.0.8:runtime
[INFO] | | | - org.apache.felix:org.apache.felix.utils:jar:1.8.2:runtime
[INFO] | | +- org.apache.karaf:org.apache.karaf.exception:jar:3.0.8:runtime
[INFO] | | +- org.apache.karaf:org.apache.karaf.client:jar:3.0.8:runtime
[INFO] | | +- org.apache.karaf.jaas:org.apache.karaf.jaas.boot:jar:3.0.8:compile
[INFO] | | +- org.eclipse:org.eclipse.osgi:jar:3.8.2.v20130124-134944:runtime
[INFO] | | +- org.apache.felix:org.apache.felix.framework:jar:4.2.1:runtime
[INFO] | | +- jline:jline:jar:2.13:compile
[INFO] | | +- org.jledit:core:jar:0.2.1:compile
[INFO] | | +- org.ops4j.pax.logging:pax-logging-api:jar:1.8.4:compile
[INFO] | | +- org.ops4j.pax.logging:pax-logging-service:jar:1.8.4:compile
[INFO] | | +- org.ops4j.pax.url:pax-url-aether:jar:2.5.2:test
[INFO] | | | - org.ops4j.pax.url:pax-url-aether-support:jar:2.5.2:test
[INFO] | | | - org.eclipse.aether:aether-impl:jar:1.0.2.v20150114:test
[INFO] | | | +- org.eclipse.aether:aether-api:jar:1.0.2.v20150114:test
[INFO] | | | +- org.eclipse.aether:aether-spi:jar:1.0.2.v20150114:test
[INFO] | | | - org.eclipse.aether:aether-util:jar:1.0.2.v20150114:test
[INFO] | | +- org.ops4j.pax.url:pax-url-wrap:jar:uber:2.4.7:compile
[INFO] | | +- org.apache.karaf.features:org.apache.karaf.features.command:jar:3.0.8:compile
[INFO] | | | - org.apache.karaf.features:org.apache.karaf.features.core:jar:3.0.8:compile
[INFO] | | +- org.apache.karaf.bundle:org.apache.karaf.bundle.core:jar:3.0.8:compile
[INFO] | | +- org.apache.karaf.bundle:org.apache.karaf.bundle.command:jar:3.0.8:compile
[INFO] | | +- org.apache.karaf.shell:org.apache.karaf.shell.console:jar:4.0.10:compile
[INFO] | | | +- org.apache.karaf.jaas:org.apache.karaf.jaas.modules:jar:4.0.10:compile
[INFO] | | | | - org.apache.karaf.jaas:org.apache.karaf.jaas.config:jar:4.0.10:compile
[INFO] | | | - org.apache.karaf.shell:org.apache.karaf.shell.core:jar:4.0.10:compile
[INFO] | | +- org.apache.karaf.shell:org.apache.karaf.shell.help:jar:3.0.8:compile
[INFO] | | +- org.apache.karaf.shell:org.apache.karaf.shell.table:jar:3.0.8:compile
[INFO] | | +- org.apache.karaf.system:org.apache.karaf.system.core:jar:3.0.8:compile
[INFO] | | +- org.apache.karaf.system:org.apache.karaf.system.command:jar:3.0.8:compile
[INFO] | | +- org.apache.karaf.shell:org.apache.karaf.shell.commands:jar:3.0.8:compile