[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SECURITY] CVE-2012-2138 Apache Sling denial of service vulnerability
CVE-2012-2138 : Apache Sling denial of service vulnerability
Vendor: The Apache Software Foundation
org.apache.sling.servlets.post bundle up to 2.1.0
The @CopyFrom operation of the Sling POST servlet allows for copying a
parent node to one of its descendant nodes, creating an infinite loop
that ultimately results in denial of service, once memory and/or
storage resources are exhausted.
Users should upgrade to version 2.1.2 of the
org.apache.sling.servlets.post bundle , or apply the Sling patch of
revision 1352865 .
curl -u admin:pwd -d "" "http://localhost:8888/content/foo/?./%40CopyFrom=../"
This issue was discovered by IO Active, working for Adobe.