Any info about CVE-2019-14224

fhp — Thu, 06 Aug 2020 12:50:00 GMT

Hi!

Anyone have any information about this one:

https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-14224-Authenticated%20Remote%20Code%20Execution-Alfresco%20Community

I have not been able to find any response from Alfresco - i tried to check the jira, but when i try to make a new account it fails because the server that do the captcha has run out of diskspace.

Referer URL: https://issues.alfresco.com/jira/secure/Signup.jspa
java.lang.RuntimeException: java.io.IOException: No space left on device
java.lang.RuntimeException: java.io.IOException: No space left on device
	at com.atlassian.jira.servlet.JiraCaptchaServlet.doGet(JiraCaptchaServlet.java:69) [classes/:?]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:622) [servlet-api.jar:?]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) [servlet-api.jar:?]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230) [catalina.jar:8.5.6]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) [catalina.jar:8.5.6]
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) [tomcat-websocket.jar:8.5.6]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) [catalina.jar:8.5.6]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) [catalina.jar:8.5.6]
	at com.atlassian.jira.web.filters.JiraLastFilter.lambda$doFilter$0(JiraLastFilter.java:39) [classes/:?]
	at com.atlassian.jira.web.filters.steps.ChainedFilterStepRunner.doFilter(ChainedFilterStepRunner.java:74) [classes/:?]
	at com.atlassian.jira.web.filters.JiraLastFilter.doFilter(JiraLastFilter.java:36) [classes/:?]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) [catalina.jar:8.5.6]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) [catalina.jar:8.5.6]
	at com.atlassian.core.filters.HeaderSanitisingFilter.doFilter(HeaderSanitisingFilter.java:37) [atlassian-core-5.0.8.jar:?]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) [catalina.jar:8.5.6]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) [catalina.jar:8.5.6]
	at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:39) [atlassian-plugins-servlet-4.5.0.jar:?]
	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:58) [atlassian-plugins-servlet-4.5.0.jar:?]
	at com.atlassian.jira.tzdetect.IncludeResourcesFilter.doFilter(IncludeResourcesFilter.java:77) [?:?]
	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:64) [atlassian-plugins-servlet-4.5.0.jar:?]
	at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:37) [atlassian-plugins-servlet-4.5.0.jar:?]
	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:58) [atlassian-plugins-servlet-4.5.0.jar:?]
	at com.atlassian.jira.baseurl.IncludeResourcesFilter.doFilter(IncludeResourcesFilter.java:38) [?:?]
	at com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:32) [atlassian-core-5.0.8.jar:?]
	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:64) [atlassian-plugins-servlet-4.5.0.jar:?]
	at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:37) [atlassian-plugins-servlet-4.5.0.jar:?]
	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:58) [atlassian-plugins-servlet-4.5.0.jar:?]
	at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24) [?:?]
	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:64) [atlassian-plugins-servlet-4.5.0.jar:?]
	at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:37) [atlassian-plugins-servlet-4.5.0.jar:?]
	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:58) [atlassian-plugins-servlet-4.5.0.jar:?]
	at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24) [?:?]
	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:64) [atlassian-plugins-servlet-4.5.0.jar:?]
	at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:37) [atlassian-plugins-servlet-4.5.0.jar:?]
	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:58) [atlassian-plugins-servlet-4.5.0.jar:?]
	at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24) [?:?]
	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:64) [atlassian-plugins-servlet-4.5.0.jar:?]
	at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:37) [atlassian-plugins-servlet-4.5.0.jar:?]
	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:58) [atlassian-plugins-servlet-4.5.0.jar:?]
	at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24) [?:?]
	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:64) [atlassian-plugins-servlet-4.5.0.jar:?]
	at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:37) [atlassian-plugins-servlet-4.5.0.jar:?]
	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:58) [atlassian-plugins-servlet-4.5.0.jar:?]
	at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24) [?:?]
	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:64) [atlassian-plugins-servlet-4.5.0.jar:?]
	at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:37) [atlassian-plugins-servlet-4.5.0.jar:?]
	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:58) [atlassian-plugins-servlet-4.5.0.jar:?]
	at com.intenso.jira.plugins.it.transform.CleanupFilter.doFilter(CleanupFilter.java:21) [?:?]
	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:64) [atlassian-plugins-servlet-4.5.0.jar:?]
	at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:37) [atlassian-plugin

/Flemming

Re: Any info about CVE-2019-14224

angelborroy — Thu, 06 Aug 2020 12:58:48 GMT

That vulnerability was not fixed.

A (very) simple fix can be using different OS users for Repository and SOLR.

As we are not providing an installer any more, from ACS 6 / SOLR 6, the vulnerability is not affecting the new releases.

topic Any info about CVE-2019-14224 in Alfresco Forum

Any info about CVE-2019-14224

Re: Any info about CVE-2019-14224