CVE-2018-1306

HIGH

Apache Pluto < 3.0.1 - Information Disclosure

Title source: rule

Description

The PortletV3AnnotatedDemo Multipart Portlet war file code provided in Apache Pluto version 3.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to restrict path information provided during a file upload. An attacker could exploit this vulnerability to obtain configuration data and other sensitive information.

Exploits (5)

exploitdb WORKING POC

by Che-Chun Kuo · textwebappswindows

https://www.exploit-db.com/exploits/45396

View Code ZIP pw:eip

nomisec WORKING POC

by dawetmaster · poc

https://github.com/dawetmaster/CVE-2018-1306-portals-pluto-vulnerable

View Code ZIP pw:eip

nomisec WORKING POC

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2018-1306-portals-pluto-vulnerable

View Code ZIP pw:eip

nomisec

by Imsol0 · poc

https://github.com/Imsol0/APACHE-CVE-2018-1306-Lab-project

View on nomisec

nomisec WORKING POC

by JJSO12 · poc

https://github.com/JJSO12/Apache-Pluto-3.0.0--CVE-2018-1306

View Code ZIP pw:eip

References (2)

[Mitigation, Vendor Advisory] http://portals.apache.org/pluto/security.html

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/45396/

Scores

CVSS v3 7.5

EPSS 0.6519

EPSS Percentile 98.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-200

Status published

Products (2)

apache/pluto 3.0.0

org.apache.portals.pluto/pluto-container 3.0.0 - 3.0.1Maven

Published Jun 27, 2018

Tracked Since Feb 18, 2026