Impact
A path traversal vulnerability in Goobi viewer Core allows for remote attackers to access files on the server via the application. This is limited to files accessible to the application server user, eg. tomcat, but can potentially lead to the disclosure of sensitive information.
Patches
The vulnerability has been fixed in version 4.8.3
Workarounds
As workaround the access to the file servlet of Goobi viewer Core can be restricted. Using an Apache httpd proxy this can be achieved via mod_rewrite for example:
RewriteEngine On
RewriteRule "^(/viewer.?|)/file(.*)$" - [F,L]
In certain use cases this can however slightly limit the functionality of the application.
For more information
If you have any questions or comments about this advisory:
Impact
A path traversal vulnerability in Goobi viewer Core allows for remote attackers to access files on the server via the application. This is limited to files accessible to the application server user, eg. tomcat, but can potentially lead to the disclosure of sensitive information.
Patches
The vulnerability has been fixed in version 4.8.3
Workarounds
As workaround the access to the file servlet of Goobi viewer Core can be restricted. Using an Apache httpd proxy this can be achieved via mod_rewrite for example:
In certain use cases this can however slightly limit the functionality of the application.
For more information
If you have any questions or comments about this advisory: