Dave WeinsteinHP Zero Day InitiativeZDI-14-279Hewlett-Packard Application Lifecycle Manager DLL Planting Elevation of Privilege Vulnerability
4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
0.24 Low
EPSS
Percentile
96.6%
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packardβs Application Lifecycle Management. This vulnerability requires the attacker to have an unprivileged account on the Application Lifecycle Management System. The specific flaw exists within the ACLs on a specific installed directory. Because this directory allows any user to create a file, an unprivileged attacker can place a malicious DLL on the system. When the Application Lifecycle Management is restarted, it will execute the provided file in the context of NT Authority\SYSTEM.
Related
4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
0.24 Low
EPSS
Percentile
96.6%