Hewlett-Packard IT Executive Scorecard Java Glassfish Admin Console Remote Code Execution Vulnerability

ID ZDI-14-208
Type zdi
Reporter Mike Arnold (Bruk0ut)
Modified 2014-11-09T00:00:00


This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard IT Executive Scorecard. Authentication is not required to exploit this vulnerability.

The specific flaw exists within allowed HTTP access to a Glassfish administrative console on port 10001 with no authentication. A remote attacker can abuse this to execute remote code under the context of the SYSTEM user.