CVE-2018-1316

HIGH

Apache ODE 1.1.1-1.3.2 - Path Traversal and Arbitrary File Write via Process Deployment Web Service

Title source: llm

Description

The ODE process deployment web service was sensible to deployment messages with forged names. Using a path for the name was allowing directory traversal, resulting in the potential writing of files under unwanted locations, the overwriting of existing files or their deletion. This issue was addressed in Apache ODE 1.3.3 which was released in 2009, however the incorrect name CVE-2008-2370 was used on the advisory by mistake.

References (2)

Core 2

Core References

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/ce416ddfba1a87f4b8e2d8125f1c3b45d1f0b350af29a4d0405e213b%40%3Cuser.ode.apache.org%3E

Vendor Advisory mailing-list x_refsource_mlist

http://mail-archives.apache.org/mod_mbox/www-announce/200908.mbox/%3Cfbdc6a970908072141w20a7a9d9ka1f896ad8073dffb%40mail.gmail.com%3E

Scores

CVSS v3 7.5

EPSS 0.0216

EPSS Percentile 84.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-22

Status published

Products (5)

apache/ode 1.0 incubating (5 CPE variants)

apache/ode 1.1 rc1 (5 CPE variants)

apache/ode 1.1.1 rc1

apache/ode 1.1.1 - 1.3.2

org.apache.ode/ode 0 - 1.3.3Maven

Published Mar 05, 2018

Tracked Since Feb 18, 2026