CVE-2018-1306

high-risk

Published 2018-06-27

The PortletV3AnnotatedDemo Multipart Portlet war file code provided in Apache Pluto version 3.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to restrict path information provided during a file upload. An attacker could exploit this vulnerability to obtain configuration data and other sensitive information.

Do I need to act?

65.2% chance of exploitation in next 30 days

EPSS score — higher than 35% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

1 public exploit available

45396

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (1)

Pluto

Affected Vendors

Apache

References (4)

Mitigation http://portals.apache.org/pluto/security.html

Exploit https://www.exploit-db.com/exploits/45396/

Mitigation http://portals.apache.org/pluto/security.html

Exploit https://www.exploit-db.com/exploits/45396/

/ 100

high-risk

Severity 26/34 · High

Exploitability 19/34 · Moderate

Exposure 5/34 · Minimal