Description
efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, efw.file.FileManager.unZip writes zip entries to disk using new File(baseDir, zipEntry.getName()) with no canonical-path check. An entry name such as ../../../pwned.jsp escapes the intended extraction directory and lands anywhere the Tomcat process can write — including the servlet context root. Combined with the framework's multipart /uploadServlet and an event that calls file.saveUploadFiles + FileManager.unZip, a remote attacker with no credentials drops a JSP webshell and executes arbitrary commands as the Tomcat user. This vulnerability is fixed in 4.08.010.
Problem types
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
Product status
References
github.com/...efw4.X/security/advisories/GHSA-q7jx-7x5r-r9f6
github.com/...efw4.X/security/advisories/GHSA-q7jx-7x5r-r9f6