com.bstek.ureport:ureport2-core@2.2.5 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the com.bstek.ureport:ureport2-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Path Traversal

com.bstek.ureport:ureport2-core is a report engine based on Spring architecture, where complex Chinese-style statements and reports can be prepared by iterating over cells.

Affected versions of this package are vulnerable to Path Traversal when inserting image files into the report. An attacker can read files on the server arbitrarily by inserting an image file with a crafted path.

How to fix Path Traversal?

There is no fixed version for com.bstek.ureport:ureport2-core.

[0,)
  • H
XML External Entity (XXE) Injection

com.bstek.ureport:ureport2-core is a report engine based on Spring architecture, where complex Chinese-style statements and reports can be prepared by iterating over cells.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection in the parse() function in ReportParser.java, exploitable via the /ureport/designer/saveReportFile. A user can provide malicious XML content to execute code.

How to fix XML External Entity (XXE) Injection?

There is no fixed version for com.bstek.ureport:ureport2-core.

[0,)
  • H
Directory Traversal

com.bstek.ureport:ureport2-core is a report engine based on Spring architecture, where complex Chinese-style statements and reports can be prepared by iterating over cells.

Affected versions of this package are vulnerable to Directory Traversal in the deleteReport() function in FileReportProvider.java, which allows an attacker to delete arbitrary files on the target file system.

How to fix Directory Traversal?

There is no fixed version for com.bstek.ureport:ureport2-core.

[0,)