Advisory Details

July 9th, 2014

Hewlett-Packard SiteScope EmailServlet servlet Information Disclosure Vulnerability

ZDI-14-228
ZDI-CAN-2140

CVE ID CVE-2014-2614
CVSS SCORE 6.8, (AV:N/AC:M/Au:N/C:P/I:P/A:P)
AFFECTED VENDORS Hewlett-Packard
AFFECTED PRODUCTS SiteScope
TREND MICRO CUSTOMER PROTECTION Trend Micro TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 13650. For further product information on the TippingPoint IPS: http://www.tippingpoint.com
VULNERABILITY DETAILS


This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard SiteScope. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the EmailServlet servlet. The issue lies in the ability to download arbitrary files. A remote attacker can abuse this to disclose sensitive information that could result in remote code execution under the context of the process.

ADDITIONAL DETAILS Hewlett-Packard has issued an update to correct this vulnerability. More details can be found at:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04355129
DISCLOSURE TIMELINE
  • 2014-03-07 - Vulnerability reported to vendor
  • 2014-07-09 - Coordinated public release of advisory
CREDIT Andrea Micalizzi (rgod)
BACK TO ADVISORIES