search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Blue Coat Malware Analysis appliance contains a cross-site scripting (XSS) vulnerability and information disclosure

Vulnerability Note VU#274244

Original Release Date: 2015-04-14 | Last Revised: 2015-04-17

Overview

The Blue Coat Malware Analysis appliance is vulnerable to cross-site scripting (XSS) and information disclosure.

Description

The Blue Coat Malware Analysis appliance is a sandboxed appliance that scans for threats in files and downloads on the network.

A cross-site scripting vulnerability exists in search.php of the appliance. This vulnerability has been assigned CVE-2015-0937.

An information disclosure vulnerability exists in search.php of the appliance. By use of a specialized URL parameter, this vulnerability allows a user to search for and obtain a list of documents meeting certain keywords, even if those documents are private. This vulnerability has been assigned CVE-2015-0938.

These vulnerabilities have been observed in version 4.2.3.20150129-RELEASE; other releases may also be affected. For more information, please see Blue Coat's security advisory SA94..

The CVSS score below is based on CVE-2015-0937.

Impact

The cross-site scripting vulnerability may allow compromise of user credentials. The information disclosure vulnerability may allow private file data to be obtained by unauthorized users.

Solution

Update software

Blue Coat has addressed these vulnerabilities in version 4.2.4.20150312-RELEASE. Affected users are suggested to upgrade as soon as possible.

Vendor Information

274244
 
Expand all

Blue Coat Systems Affected

Notified:  February 02, 2015 Updated: April 07, 2015

Statement Date:   February 13, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N
Temporal 5.2 E:POC/RL:U/RC:C
Environmental 3.9 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

https://bto.bluecoat.com/security-advisory/sa94

Acknowledgements

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2015-0937, CVE-2015-0938
Date Public: 2015-04-14
Date First Published: 2015-04-14
Date Last Updated: 2015-04-17 13:26 UTC
Document Revision: 28

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis