Overview
The Attachmate Verastream Host Integrator (VHI) is vulnerable to arbitrary file uploads and execution.
Description
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - CVE-2013-3626 The Attachmate VHI Session Server, on all platforms, allows unauthenticated remote attackers to write arbitrary files on the machine in which the product is installed by sending a specially crafted message to the VHI Session Server. The affected versions are:
|
Impact
An attacker may be able to gain complete control of the server on which the application is installed. |
Solution
Apply a HotfixAttachmate has released a hotfix to address this issue while a patch is being developed. The hotfix can be found at: http://support.attachmate.com/techdocs/2700.html |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C |
| Temporal | 7.5 | E:POC/RL:TF/RC:C |
| Environmental | 1.9 | CDP:N/TD:L/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
Thanks to Arnold Geels of Attachmate for reporting this vulnerability.
This document was written by Chris King.
Other Information
| CVE IDs: | CVE-2013-3626 |
| Date Public: | 2013-11-04 |
| Date First Published: | 2013-11-04 |
| Date Last Updated: | 2013-11-19 22:40 UTC |
| Document Revision: | 13 |