Overview
The up.time agent for Linux versions 7.5 and 7.6 may allow an unauthenticated remote attacker to read arbitrary files from a system.
Description
CWE-306: Missing Authentication for Critical Function - CVE-2015-8268 According to the researcher, "The linux based uptime.agent version 7.5 provides the ability to remotely read any file on the remote system that the uptime.agent has read access to, without authentication." Idera has identified that versions 7.5 and 7.6 are affected. |
Impact
An unauthenticated remote user may be able to read arbitrary files from a system running the Up.time agent for Linux. |
Solution
Apply an update |
Check configuration |
Vendor Information
CVSS Metrics
Group | Score | Vector |
---|---|---|
Base | 7.8 | AV:N/AC:L/Au:N/C:C/I:N/A:N |
Temporal | 6.1 | E:POC/RL:OF/RC:C |
Environmental | 4.6 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
Thanks to Ryan Wincey for reporting this vulnerability.
This document was written by Garret Wassermann.
Other Information
CVE IDs: | CVE-2015-8268 |
Date Public: | 2016-05-11 |
Date First Published: | 2016-05-19 |
Date Last Updated: | 2016-06-14 15:04 UTC |
Document Revision: | 31 |