Workaround for AhsayOBS 6.x - 6.17.x.x vulnerability
The changelog for AhsayOBS 220.127.116.11 contained a mitigation for an unspecified potential vulnerability in all prior 6.x versions.
An attacker may be able to retrieve your whitelisted IP ranges, or other content of the
web.xml file. An attacker may also be able to determine the exact version of AhsayOBS in use. If you are using URL Rewriting for your AhsayOBS installation, the vulnerability can be used to retrieve your AhsayOBS credentials.
The vulnerability has a low impact; but if you are using URL Rewriting without applying IP-address restrictions to the web console, then this vulnerability is critical.
1. Upgrade to AhsayOBS 18.104.22.168 or later
This vulnerability has a first-party mitigation as of AhsayOBS 22.214.171.124.
2. Apply workarounds as previously detailed
The workarounds described in our article Workaround for AhsayOBS 6.x - 6.9.x.x vulnerability will protect against exploiting this vulnerability.