Cisco Enterprise Content Delivery System Web Directory Traversal and Arbitrary File Access Vulnerability

2014-12-22T17:24:01
ID CISCO-SA-20141222-CVE-2014-8019
Type cisco
Reporter Cisco
Modified 2014-12-22T17:23:54

Description

A vulnerability in Cisco Enterprise Content Delivery System (ECDS) could allow an unauthenticated, remote attacker to conduct directory traversal attacks on a targeted system.

The vulnerability is due to insufficient validation of user-supplied input by the affected software. An attacker could exploit this vulnerability by sending crafted web requests with a directory traversal sequence to the system. An exploit could allow the attacker to access a specific file that is not normally exposed through the web interface.

Functional code that exploits this vulnerability is publicly available.

Cisco has confirmed the vulnerability but software updates are not available.

To exploit the vulnerability, the attacker must send crafted HTTP requests to the affected system. Depending on the network configuration, the attacker would likely need access to trusted, internal networks. This access requirement could limit the likelihood of a successful attack.