{"id":"CVE-2019-17352","details":"In JFinal cos before 2019-08-13, as used in JFinal 4.4, there is a vulnerability that can bypass the isSafeFile() function: one can upload any type of file. For example, a .jsp file may be stored and almost immediately deleted, but this deletion step does not occur for certain exceptions.","aliases":["GHSA-279p-pc38-xx4p"],"modified":"2026-03-12T23:01:59.710774Z","published":"2019-10-08T13:15:15.957Z","references":[{"type":"REPORT","url":"https://gitee.com/jfinal/cos/commit/5eb23d6e384abaad19faa7600d14c9a2f525946a"},{"type":"REPORT","url":"https://gitee.com/jfinal/cos/commit/8d26eec61f0d072a68bf7393cf3a8544a1112130"},{"type":"EVIDENCE","url":"https://github.com/jfinal/jfinal/issues/171"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jfinal/jfinal","events":[{"introduced":"0"},{"fixed":"5f0ac4cc2ff16bad45d3efac5d0776bf0a31579b"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.4"}]}}],"versions":["jfinal-1.9","jfinal-2.0","jfinal-2.1","jfinal-2.2","jfinal-3.0","jfinal-3.1","jfinal-3.2","jfinal-3.3","jfinal-3.4","jfinal-3.5","jfinal-3.6","jfinal-3.7","jfinal-3.8","jfinal-4.0","jfinal-4.1","jfinal-4.2","jfinal-4.3"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-17352.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}