Miggo Logo
Miggo Vulnerability Database
CVE-2013-2186

CVE-2013-2186: Arbitrary file write in Apache Commons Fileupload

N/A

CVSS Score

Basic Information

CVE ID
CVE-2013-2186
GHSA ID
GHSA-qx6h-9567-5fqw
EPSS Score
0.99563%
CWE
CWE-20
Published
5/14/2022
Updated
3/5/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
commons-fileupload:commons-fileuploadmaven< 1.3.11.3.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper input validation during deserialization of DiskFileItem objects. The commit diff shows critical validation checks were added to the readObject method, including null byte detection in repository paths and directory verification. Prior to this fix, the absence of these checks allowed attackers to exploit Java's serialization mechanism to write files to unintended locations. The test cases added in DiskFileItemSerializeTest.java specifically validate these scenarios, confirming the attack vector involved deserialization of malicious DiskFileItem instances.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *isk*il*It*m *l*ss in *p**** *ommons *il*Uplo**, *s us** in R** **t J*oss *RMS *.*.*; J*oss Port*l *.* *P**, *.*.*, *n* *.*.*; *n* R** **t J*oss W** S*rv*r *.*.* *llows r*mot* *tt**k*rs to writ* to *r*itr*ry *il*s vi* * NULL *yt* in * *il* n*m* i

Reasoning

T** vuln*r**ility st*ms *rom improp*r input v*li**tion *urin* **s*ri*liz*tion o* *isk*il*It*m o*j**ts. T** *ommit *i** s*ows *riti**l v*li**tion ****ks w*r* ***** to t** r***O*j**t m*t*o*, in*lu*in* null *yt* **t**tion in r*pository p*t*s *n* *ir**to