Apache Thrift Node.js Static Web Server docroot Path Unauthorized Access Vulnerability

A vulnerability in the Apache Thrift Node.js static web server could allow an authenticated, remote attacker to gain unauthorized access to a targeted system.

The vulnerability is due to insufficient path verification performed by the affected software. An attacker could exploit this vulnerability by submitting malicious code to the targeted system. A successful exploit could allow the attacker to access unauthorized files outside of the web server’s docroot path.

Proof-of-concept (PoC) code that demonstrates an exploit of this vulnerability is publicly available.

Apache confirmed the vulnerability and released software updates.

Security Impact Rating: Medium

CVE: CVE-2018-11798

Source:: Cisco Multivendor Vulnerability Alerts