CVE-2018-1306
Description
Apache Pluto 3.0.0's PortletV3AnnotatedDemo Multipart Portlet allows arbitrary file upload due to insufficient path restriction, leading to sensitive information disclosure and remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Pluto 3.0.0's PortletV3AnnotatedDemo Multipart Portlet allows arbitrary file upload due to insufficient path restriction, leading to sensitive information disclosure and remote code execution.
Vulnerability
The PortletV3AnnotatedDemo Multipart Portlet war file in Apache Pluto version 3.0.0 fails to properly restrict the path information provided during file uploads [1]. This allows an attacker to upload files to arbitrary locations on the filesystem using directory traversal, such as ../../../webapps/pluto/jspshell.jsp [2]. The vulnerability is present in the PortletV3AnnotatedDemo/temp/ directory and affects only version 3.0.0 [2].
Exploitation
An unauthenticated attacker with network access to the Apache Pluto server can exploit this vulnerability by sending a crafted multipart file upload request to the PortletV3AnnotatedDemo Multipart Portlet [2]. The exploit requires no authentication and can be performed remotely. The attacker uses directory traversal in the filename parameter (e.g., ../../../webapps/pluto/jspshell.jsp) to upload a JSP webshell outside the intended temp/ directory [2]. This bypasses the intended security constraints that only protect GET, POST, and PUT methods but not HEAD requests [2].
Impact
Successful exploitation allows an unauthenticated attacker to achieve remote code execution on the server running Apache Pluto 3.0.0 [2]. The attacker can obtain configuration data and other sensitive information, gain full control over the application server, and potentially pivot to internal systems [1][2]. The attacker can execute arbitrary commands, read or modify files, and access sensitive data.
Mitigation
Apache has addressed this vulnerability in Pluto version 3.1.0 and later [4]. The mitigation moved the temp/ directory outside the /webapps directory and under the Tomcat directory [2]. Users should upgrade to Pluto 3.1.0 or later [4]. As a workaround, administrators can uninstall or disable the PortletV3AnnotatedDemo war file from the Pluto deployment. There is no indication that this CVE is listed in the KEV catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.portals.pluto:pluto-containerMaven | >= 3.0.0, < 3.0.1 | 3.0.1 |
Affected products
2- Apache Software Foundation/Apache Plutov5Range: 3.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Failure to restrict or sanitize path information provided during a file upload allows directory traversal to arbitrary filesystem locations."
Attack vector
An unauthenticated attacker sends a crafted multipart HTTP request to the PortletV3AnnotatedDemo Multipart Portlet endpoint, e.g. `HEAD /pluto/portal/File%20Upload/__pdPortletV3AnnotatedDemo.MultipartPortlet%21-1517407963%7C0;0/__ac0 HTTP/1.1` [ref_id=1]. The request includes a file part whose filename contains directory traversal sequences (e.g. `filename="../../../webapps/pluto/jspshell.jsp"`) [ref_id=1]. Because the server fails to restrict the path information during file upload, the attacker can write a malicious JSP file to an arbitrary location on the filesystem, leading to remote code execution [CWE-200] [ref_id=1].
Affected code
The vulnerable component is the PortletV3AnnotatedDemo Multipart Portlet included in Apache Pluto 3.0.0 [ref_id=1]. The file upload handler does not restrict or sanitize the path information provided in the uploaded file's filename, allowing directory traversal sequences such as `../../../webapps/pluto/jspshell.jsp` [ref_id=1]. The advisory does not specify the exact source file or function name responsible for the upload processing.
What the fix does
The advisory states that the initial remediation moved the `/temp` directory outside the `/webapps` directory and under the Tomcat directory [ref_id=1]. However, this fix was incomplete because the directory traversal vulnerability (Vulnerability 3) still allowed an attacker to upload files to arbitrary locations, such as `/webapps/pluto/`, by using `../` sequences in the filename [ref_id=1]. The advisory does not provide a subsequent patch or final fix; the repository was later archived and is read-only [ref_id=3].
Preconditions
- networkThe attacker must be able to reach the Pluto server's HTTP port (default 8080) over the network
- authNo authentication is required; the HEAD method bypasses security constraints defined for GET, POST, and PUT
- configThe PortletV3AnnotatedDemo Multipart Portlet must be deployed and accessible
- inputThe attacker provides a filename containing directory traversal sequences in the multipart upload
Reproduction
1. Send a HEAD request to the Pluto multipart portlet endpoint with a multipart/form-data body containing a file part whose filename includes directory traversal, e.g. `filename="../../../webapps/pluto/jspshell.jsp"` [ref_id=1]. 2. The server writes the uploaded file to the traversed path. 3. Access the uploaded JSP file via the web server to achieve remote code execution [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- www.exploit-db.com/exploits/45396/mitreexploitx_refsource_EXPLOIT-DB
- github.com/advisories/GHSA-v49x-8hvm-q347ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1306ghsaADVISORY
- portals.apache.org/pluto/security.htmlghsax_refsource_MISCWEB
- www.exploit-db.com/exploits/45396ghsaWEB
News mentions
0No linked articles in our index yet.