CVE-2019-0225
Description
A specially crafted url could be used to access files under the ROOT directory of the application on Apache JSPWiki 2.9.0 to 2.11.0.M2, which could be used by an attacker to obtain registered users' details.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache JSPWiki versions 2.9.0 to 2.11.0.M2 allow path traversal to access files under the ROOT directory, leading to disclosure of registered users' details.
Vulnerability
A path traversal vulnerability exists in Apache JSPWiki versions 2.9.0 to 2.11.0.M2. A specially crafted URL can bypass access controls and read files located under the application's ROOT directory [2][3]. This occurs due to insufficient input validation on the Wiki.jsp page or similar components that handle file access.
Exploitation
An attacker with network access can craft a malicious URL containing path traversal sequences (e.g., ../) to navigate outside the intended restricted directory. No authentication is required, and the attack can be performed remotely by sending the URL to the affected JSPWiki instance [2][4].
Impact
Successful exploitation allows an attacker to read files under the ROOT directory, such as configuration files or user registration data, leading to the disclosure of registered users' details (e.g., usernames, email addresses) [2][3]. This constitutes a confidentiality breach.
Mitigation
Apache JSPWiki users should upgrade to version 2.11.0.M3 or later, which contains a fix for this vulnerability [3][4]. As of the advisory publication, no other workarounds are documented; upgrading is the recommended mitigation.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.jspwiki:jspwiki-warMaven | >= 2.9.0, < 2.11.0.M3 | 2.11.0.M3 |
Affected products
2- Apache/Apache JSPWikiv5Range: Apache JSPWiki 2.9.0 to 2.11.0.M2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
15- github.com/advisories/GHSA-pffw-p2q5-w6vhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-0225ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/03/26/2ghsamailing-listx_refsource_MLISTWEB
- www.securityfocus.com/bid/107627ghsavdb-entryx_refsource_BIDWEB
- jspwiki-wiki.apache.org/Wiki.jspghsax_refsource_CONFIRMWEB
- lists.apache.org/thread.html/03ddbcb1d6322e04734e65805a147a32bcfdb71b8fc5821fb046ba8d%40%3Cannounce.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/03ddbcb1d6322e04734e65805a147a32bcfdb71b8fc5821fb046ba8d@%3Cannounce.apache.org%3EghsaWEB
- lists.apache.org/thread.html/4f19fdbd8b9c4caf6137a459d723f4ec60379b033ed69277eb4e0af9%40%3Cuser.jspwiki.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/4f19fdbd8b9c4caf6137a459d723f4ec60379b033ed69277eb4e0af9@%3Cuser.jspwiki.apache.org%3EghsaWEB
- lists.apache.org/thread.html/6251c06cb11e0b495066be73856592dbd7ed712487ef283d10972831%40%3Cdev.jspwiki.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/6251c06cb11e0b495066be73856592dbd7ed712487ef283d10972831@%3Cdev.jspwiki.apache.org%3EghsaWEB
- lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16@%3Ccommits.jspwiki.apache.org%3EghsaWEB
- lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1%40%3Ccommits.jspwiki.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1@%3Ccommits.jspwiki.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.