CVE-2023-4760

In Eclipse RAP versions from 3.0.0 up to and including 3.25.0, Remote Code Execution is possible on Windows when using the FileUpload component.

The reason for this is a not completely secure extraction of the file name in the FileUploadProcessor.stripFileName(String name) method. As soon as this finds a / in the path, everything before it is removed, but potentially (backslashes) coming further back are kept.

For example, a file name such as /….webappsshell.war can be used to upload a file to a Tomcat server under Windows, which is then saved as ….webappsshell.war in its webapps directory and can then be executed.

Source: CVE-2023-4760