CA Unified Infrastructure Management diag Path Traversal Information Disclosure Vulnerability

2016-11-09T00:00:00
ID ZDI-16-607
Type zdi
Reporter rgod
Modified 2016-11-10T00:00:00

Description

This vulnerability allows remote attackers to disclose sensitive information from vulnerable installations of CA Unified Infrastructure Management. Authentication is not required to exploit this vulnerability.

The specific flaw exists within processing of the diag.jsp servlet. The servlet is vulnerable to directory traversal and can be used to exfiltrate sensitive system files from the system.