Cisco Prime Data Center Network Manager Directory Traversal Bug Lets Remote Users Obtain Arbitrary Files
SecurityTracker Alert ID: 1032009|
SecurityTracker URL: http://securitytracker.com/id/1032009
(Links to External Site)
Date: Apr 1 2015
Disclosure of system information, Disclosure of user information|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 6.3(1) and after and prior to 7.1(1)|
A vulnerability was reported in Cisco Prime Data Center Network Manager. A remote user can obtain files on the target system.|
A remote user can supply a specially crafted request to exploit a directory traversal flaw in the fmserver servlet of Cisco Prime Data Center Network Manager (DCNM) and obtain arbitrary files from the target system with system or root privileges.
The vendor has assigned bug ID CSCus00241 to this vulnerability.
Andrea Micalizzi (rgod) reported this vulnerability (via HP's Zero Day Initiative).
A remote user can obtain arbitrary files from the target system.|
The vendor has issued a fix (7.1(1)).|
The vendor's advisory is available at:
Vendor URL: tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150401-dcnm (Links to External Site)
Access control error|
|Underlying OS: Linux (Red Hat Enterprise), Windows (2008)|
Source Message Contents
Subject: Cisco Security Advisory: Cisco Prime Data Center Network Manager File Information Disclosure Vulnerability|
-----BEGIN PGP SIGNED MESSAGE-----
Cisco Prime Data Center Network Manager File Information Disclosure Vulnerability
Advisory ID: cisco-sa-20150401-dcnm
For Public Release 2015 April 1 16:00 UTC (GMT)
Cisco Prime Data Center Network Manager (DCNM) contains a file
information disclosure vulnerability that could allow an
unauthenticated, remote attacker to retrieve arbitrary files from the
underlying operating system.
Cisco has released free software updates that address this
Workarounds that mitigate this vulnerability are not available.
This advisory is available at the following link:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
-----END PGP SIGNATURE-----
cust-security-announce mailing list
To unsubscribe, send the command "unsubscribe" in the subject of your message to email@example.com