Advisory Details

May 27th, 2020

Trend Micro InterScan Web Security Virtual Appliance Apache Solr Directory Traversal Information Disclosure Vulnerability

ZDI-20-678
ZDI-CAN-10329

CVE ID CVE-2020-8604
CVSS SCORE 7.5, (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
AFFECTED VENDORS Trend Micro
AFFECTED PRODUCTS InterScan Web Security Virtual Appliance
VULNERABILITY DETAILS

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Trend Micro InterScan Web Security Virtual Appliance. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the Apache Solr application. When parsing the file parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of IWSS user.

ADDITIONAL DETAILS

https://success.trendmicro.com/solution/000253095


DISCLOSURE TIMELINE
  • 2020-02-04 - Vulnerability reported to vendor
  • 2020-05-27 - Coordinated public release of advisory
  • 2020-05-28 - Advisory Updated
CREDIT Mehmet INCE (@mdisec)
BACK TO ADVISORIES