A vulnerability in the Apache Thrift Node.js static web server could allow an authenticated, remote attacker to gain unauthorized access to a targeted system.
The vulnerability is due to insufficient path verification performed by the affected software. An attacker could exploit this vulnerability by submitting malicious code to the targeted system. A successful exploit could allow the attacker to access unauthorized files outside of the web server’s docroot path.
Proof-of-concept (PoC) code that demonstrates an exploit of this vulnerability is publicly available.
Apache confirmed the vulnerability and released software updates.
Security Impact Rating: Medium