Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
certCERTVU:436214
HistoryNov 04, 2013 - 12:00 a.m.

Attachmate Verastream Host Integrator (VHI) allows arbitrary file upload and execution

2013-11-0400:00:00
www.kb.cert.org
29

9.3 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.003 Low

EPSS

Percentile

71.2%

JSON

Overview

The Attachmate Verastream Host Integrator (VHI) is vulnerable to arbitrary file uploads and execution.

Description

CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) - CVE-2013-3626

The Attachmate VHI Session Server, on all platforms, allows unauthenticated remote attackers to write arbitrary files on the machine in which the product is installed by sending a specially crafted message to the VHI Session Server. The affected versions are:

* 7.5 SP 1 HF 1
* 7.5 SP 1
* 7.5
* 7.1 SP 2 HF 1 - 6
* 7.1 SP 2
* 7.1 SP 1
* 7.1
* 7.0
* 6.6
* 6.5
* 6.0

Impact

An attacker may be able to gain complete control of the server on which the application is installed.

Solution

Apply a HotfixAttachmate has released a hotfix to address this issue while a patch is being developed. The hotfix can be found at: <http://support.attachmate.com/techdocs/2700.html&gt;

Vendor Information

436214

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Attachmate __ Affected

Notified: October 02, 2013 Updated: October 10, 2013

Status

Affected

Vendor Statement

A hotfix is available at: <http://support.attachmate.com/techdocs/2700.html&gt;

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

CVSS Metrics

Group Score Vector
Base 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C
Temporal 7.5 E:POC/RL:TF/RC:C
Environmental 1.9 CDP:N/TD:L/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Arnold Geels of Attachmate for reporting this vulnerability.

This document was written by Chris King.

Other Information

CVE IDs: CVE-2013-3626
Date Public: 2013-11-04 Date First Published:

Related

prion 1
cve 1
cvelist 1
nvd 1
prion
prion
Directory traversal
2013-11-06 15:55:00
cve
cve
CVE-2013-3626
2022-10-03 16:14:45
cvelist
cvelist
CVE-2013-3626
2022-10-03 16:14:45
nvd
nvd
CVE-2013-3626
2013-11-06 15:55:05

9.3 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.003 Low

EPSS

Percentile

71.2%

JSON
Related for VU:436214
prion1cve1cvelist1nvd1