-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from the handleOtherRequest method in PluginServlet.java, which processes requests for plugin resources. Prior to the fix in commit cb90074, this method did not enforce path containment checks. The patched version introduced a validation step using Path.startsWith() to ensure files are under the Openfire home directory. The absence of this check in vulnerable versions allowed attackers to access arbitrary files via path traversal sequences in the request URL.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.igniterealtime.openfire:parent | maven | < 4.5.0-beta | 4.5.0-beta |