This vulnerability is resolved in versions:
- 22.214.171.124 (security release)
- 126.96.36.199 (security release)
- 188.8.131.52 (security release)
- 184.108.40.206 (security release)
download attached classes, and add them to application in their declared package.
- For ZK 220.127.116.11 to 9.6.1: use zk8601-to-zk961-patch.zip
- For ZK 8.0.2 to 8.6.0: use zk802-to-zk8600-patch.zip
- For ZK 8.0.1 and before: Contact ZK support
register in zk.xml
Thanks to Markus Wulftange of Code White GmbH for discovering and reporting this issue, as well as cooperating with us in its resolution.
ZK AuUploader servlets contains a security vulnerability which can be exploited to retrieve the content of a file located in the web context. This includes files normally hidden from the user located in WEB-INF, such as web.xml, zk.xml, etc.
This vulnerability affects ZK versions below the secure version list provided above.
The secure list contains security releases for ZK branches from 8.6.X up to 9.6.0.X, and the main release 9.6.2