Advisory Details

July 9th, 2014

Hewlett-Packard SiteScope EmailServlet servlet Information Disclosure Vulnerability

ZDI-14-228
ZDI-CAN-2140

CVE ID CVE-2014-2614
CVSS SCORE 6.8, (AV:N/AC:M/Au:N/C:P/I:P/A:P)
AFFECTED VENDORS Hewlett-Packard
AFFECTED PRODUCTS SiteScope
TIPPINGPOINT™ IPS CUSTOMER PROTECTION TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 13650. For further product information on the TippingPoint IPS: http://www.tippingpoint.com
VULNERABILITY DETAILS


This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard SiteScope. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the EmailServlet servlet. The issue lies in the ability to download arbitrary files. A remote attacker can abuse this to disclose sensitive information that could result in remote code execution under the context of the process.

VENDOR RESPONSE Hewlett-Packard has issued an update to correct this vulnerability. More details can be found at:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04355129
DISCLOSURE TIMELINE
  • 2014-03-07 - Vulnerability reported to vendor
  • 2014-07-09 - Coordinated public release of advisory
CREDIT Andrea Micalizzi (rgod)
BACK TO ADVISORIES