superx@snowtech.com.cn
A improper access control vulnerability exists in /api/jmeter/download/files, which allows to download any file without authentication, may leads various issues.
/api/jmeter/download/files
In ShiroUtil config , Anonymous User can access /api/jmeter/download/files
downloadJmeterFiles doesn't check the filename
downloadJmeterFiles
The file is zipped.
author
superx@snowtech.com.cn
Summary
A improper access control vulnerability exists in
/api/jmeter/download/files, which allows to download any file without authentication, may leads various issues.Details
In ShiroUtil config , Anonymous User can access
/api/jmeter/download/filesdownloadJmeterFilesdoesn't check the filenameThe file is zipped.