CVE-2019-17352

Published: Oct 8, 2019Modified: Jun 17, 2026

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

In JFinal cos before 2019-08-13, as used in JFinal 4.4, there is a vulnerability that can bypass the isSafeFile() function: one can upload any type of file. For example, a .jsp file may be stored and almost immediately deleted, but this deletion step does not occur for certain exceptions.

Affected (1)

Products: Jfinal: Jfinal

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Jfinal Jfinal	Before 4.4

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (6)

https://gitee.com/jfinal/cos/commit/5eb23d6e384abaad19faa7600d14c9a2f525946a

Source: cve@mitre.org

Permissions RequiredVendor Advisory

https://gitee.com/jfinal/cos/commit/8d26eec61f0d072a68bf7393cf3a8544a1112130

Source: cve@mitre.org

Permissions RequiredVendor Advisory

https://github.com/jfinal/jfinal/issues/171

Source: cve@mitre.org

ExploitThird Party Advisory

https://gitee.com/jfinal/cos/commit/5eb23d6e384abaad19faa7600d14c9a2f525946a

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions RequiredVendor Advisory

https://gitee.com/jfinal/cos/commit/8d26eec61f0d072a68bf7393cf3a8544a1112130

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions RequiredVendor Advisory

https://github.com/jfinal/jfinal/issues/171

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.