CVE-2023-42033

2024-05-0303:15:36

CWE-22

[email protected]

web.nvd.nist.gov

cve-2023-42033

visualware myconnection server

dopostuploadfiles

directory traversal

remote code execution

authentication bypass

vulnerability

validation

user-supplied path

file operations

root context

zdi-can-21612

nvd

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

39.7%

JSON

Visualware MyConnection Server doPostUploadfiles Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Visualware MyConnection Server. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.

The specific flaw exists within the doPostUploadfiles method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-21612.

Affected configurations

Vulners

Node

visualwaremyconnection_serverRange≤11.3

CNA Affected

[
  {
    "vendor": "Visualware",
    "product": "MyConnection Server",
    "versions": [
      {
        "version": "11.3c",
        "status": "affected"
      }
    ],
    "defaultStatus": "unknown"
  }
]