目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1336

100%

CVE-2026-57898

CVSS 9.0 · Critical
获取后续新漏洞提醒登录后订阅

一、 漏洞 CVE-2026-57898 基础信息

漏洞信息

对漏洞内容有疑问?看看神龙的深度分析是否有帮助!
查看神龙十问 ↗

尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。

Vulnerability Title
N/A
来源: 美国国家漏洞数据库 NVD
Vulnerability Description
In Eclipse BaSyx Java Server SDK versions 2.0.0-milestone-05 to 2.0.0-milestone-12, deployments using the MongoDB backend are vulnerable to an unauthenticated arbitrary file write through the AAS thumbnail API. The AAS thumbnail upload path accepted a client-controlled fileName request parameter and passed it through repository file handling as both a repository key and, during thumbnail retrieval, a local filesystem path. With the MongoDB file repository, the supplied filename was treated as an opaque GridFS key and was not normalized or restricted as a filesystem path. A remote attacker could upload thumbnail content using an absolute or traversal-style filename, then trigger thumbnail retrieval so that the uploaded bytes were written to the attacker-chosen path on the server filesystem. This could allow writing files anywhere the Java process has permission to write and may lead to remote code execution. The default InMemory backend is not affected by this specific path because it normalizes and restricts file paths to its temporary directory. The issue is fixed in Eclipse BaSyx Java Server SDK 2.0.0-milestone-13.
来源: 美国国家漏洞数据库 NVD
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
来源: 美国国家漏洞数据库 NVD
Vulnerability Type
对路径名的限制不恰当(路径遍历)
来源: 美国国家漏洞数据库 NVD

受影响产品

厂商产品影响版本CPE订阅
Eclipse FoundationEclipse BaSyx - Java Server SDK 2.0.0-milestone-05 ~ 2.0.0-milestone-13 -

二、漏洞 CVE-2026-57898 的公开POC

#POC 描述源链接神龙链接
AI 生成 POC高级

未找到公开 POC。

登录以生成 AI POC

三、漏洞 CVE-2026-57898 的情报信息

登录查看更多情报信息。

CVE-2026-57898 厂商安全公告 (1)

同批安全公告 · Eclipse Foundation · 2026-07-14 · 共 10 条

CVE-2024-77087.5 HIGHGunicorn 100-Continue请求导致缓冲区泄露
CVE-2026-83845.3 MEDIUMJetty HTTP URI未解析路径漏洞
CVE-2026-67905.3 MEDIUMEclipse Jetty 请求Authority不匹配漏洞
CVE-2026-136994.3 MEDIUMDatabroker 0.6.1 PublishValue 数据缺失导致恐慌漏洞
CVE-2026-10051Eclipse Jetty HTTP/1.1 Trailer泄露漏洞
CVE-2026-12606Eclipse Grizzly<5.0.2 HTTP请求走私漏洞
CVE-2026-15075Eclipse Vert.x 重定向头泄漏漏洞
CVE-2026-15076Eclipse Vert.x<5.1.4 Cookie验证绕过致账户接管
CVE-2026-9561Eclipse Kura <5.6.2 伪造IP绕过暴破

IV. Related Vulnerabilities

V. Comments for CVE-2026-57898

暂无评论


发表评论