Advisory Details

April 8th, 2014

EMC Connectrix Manager Converged Network Edition inmservlets.war FileUploadController Servlet Information Disclosure Vulnerability

ZDI-14-060
ZDI-CAN-2133

CVE ID CVE-2014-2276
CVSS SCORE 5, (AV:N/AC:L/Au:N/C:P/I:N/A:N)
AFFECTED VENDORS EMC
AFFECTED PRODUCTS Connectrix Manager Converged Network Edition
TREND MICRO CUSTOMER PROTECTION Trend Micro TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 13558. For further product information on the TippingPoint IPS: http://www.tippingpoint.com
VULNERABILITY DETAILS


This vulnerability allows remote attackers to read arbitrary files on vulnerable installations of EMC Connectrix Manager Converged Network Edition. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the FileUploadController servlet which is part of inmservlets. This vulnerability allows an unauthenticated user to read an arbitrary file on the system. An attacker can use this to either disclose sensitive data or to disclose information about the server that can be used in a subsequent attack.

ADDITIONAL DETAILS EMC has issued an update to correct this vulnerability. More details can be found at:
http://seclists.org/bugtraq/2014/Mar/att-114/ESA-2014-018.txt
DISCLOSURE TIMELINE
  • 2014-02-10 - Vulnerability reported to vendor
  • 2014-04-08 - Coordinated public release of advisory
CREDIT Bluesea
BACK TO ADVISORIES