Jacques Le Roux created OFBIZ-12558: ---------------------------------------
Summary: Possible authentified attack related to Tomcat CVE-2020-1938 Key: OFBIZ-12558 URL: https://issues.apache.org/jira/browse/OFBIZ-12558 Project: OFBiz Issue Type: Bug Affects Versions: 18.12.05, Upcoming Branch Reporter: Jacques Le Roux Assignee: Jacques Le Roux Lion Tree <liontree0...@gmail.com> has reported us that "CVE-2020-1938 is not fully fixed". Though it was fixed by OFBIZ-11407, it still possible for an authentified user to upload a webshell included in an image using one of the OFBiz upload possibilities. That of course is not new and already covered by OFBIZ-12080 "Secure the uploads", but was still incomplete. So this Jira covers 2 points: # Disable bypass of Tomcat due to setting in framework/catalina/ofbiz-component.xml # Enforce upload prevention of webshells, specifically but not only those included in images -- This message was sent by Atlassian Jira (v8.20.1#820001)