CERTA-2000-AVI-003

Vulnerability from certfr_avis - Published: - Updated:

None

Description

Par le biais d'une URL construite astucieusement, un utilisateur mal intentionné peu avoir accès à certains fichiers présents sur le serveur équipé de HP Web JetAdmin.

Solution

4.1 Passage en version 6

Le passage en version 6 de HP Web jetAdmin supprime cette vulnérabilité mais une autre faille a été découverte : grâce à une URL mal formée un utilisateur distant peut entraîner un déni de service sur la machine hébergeant HP Web JetAdmin.

4.2 Solution temporaire

Dans le gestionnaire de l'application, n'autoriser l'accès que sur des adresses IP de machines reconnues sûres.

Editeur Informé : Un correctif est en cours de réalisation.

None
Impacted products
Vendor Product Description
Centreon Web HP Web JetAdmin Version 5.6 (Microsoft Windows 2000)
Centreon Web HP Web JetAdmin Version 5.6 (Red Hat Linux)
Centreon Web HP Web JetAdmin Version 5.6 (Solaris)
Centreon Web HP Web JetAdmin Version 5.6 (Linux - SuSe)
Centreon Web HP Web JetAdmin Version 5.6 (Novell Netware)
Centreon Web HP Web JetAdmin Version 5.6 (HP-UX 11.x)
Centreon Web HP Web JetAdmin Version 5.6 (HP-UX 10.20)
Centreon Web HP Web JetAdmin Version 5.6 (Microsoft Windows NT 4.0) (Testé par CERTA)
References
CERT HP None vendor-advisory
ussrback None vendor-advisory

Show details on source website
To clipboard 

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "HP Web JetAdmin Version 5.6 (Microsoft Windows 2000)",
      "product": {
        "name": "Web",
        "vendor": {
          "name": "Centreon",
          "scada": false
        }
      }
    },
    {
      "description": "HP Web JetAdmin Version 5.6 (Red Hat Linux)",
      "product": {
        "name": "Web",
        "vendor": {
          "name": "Centreon",
          "scada": false
        }
      }
    },
    {
      "description": "HP Web JetAdmin Version 5.6 (Solaris)",
      "product": {
        "name": "Web",
        "vendor": {
          "name": "Centreon",
          "scada": false
        }
      }
    },
    {
      "description": "HP Web JetAdmin Version 5.6 (Linux - SuSe)",
      "product": {
        "name": "Web",
        "vendor": {
          "name": "Centreon",
          "scada": false
        }
      }
    },
    {
      "description": "HP Web JetAdmin Version 5.6 (Novell Netware)",
      "product": {
        "name": "Web",
        "vendor": {
          "name": "Centreon",
          "scada": false
        }
      }
    },
    {
      "description": "HP Web JetAdmin Version 5.6 (HP-UX 11.x)",
      "product": {
        "name": "Web",
        "vendor": {
          "name": "Centreon",
          "scada": false
        }
      }
    },
    {
      "description": "HP Web JetAdmin Version 5.6 (HP-UX 10.20)",
      "product": {
        "name": "Web",
        "vendor": {
          "name": "Centreon",
          "scada": false
        }
      }
    },
    {
      "description": "HP Web JetAdmin Version 5.6 (Microsoft Windows NT 4.0) (Test\u00e9 par CERTA)",
      "product": {
        "name": "Web",
        "vendor": {
          "name": "Centreon",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Description\n\nPar le biais d\u0027une URL construite astucieusement, un utilisateur mal\nintentionn\u00e9 peu avoir acc\u00e8s \u00e0 certains fichiers pr\u00e9sents sur le serveur\n\u00e9quip\u00e9 de HP Web JetAdmin.\n\n## Solution\n\n## 4.1 Passage en version 6\n\nLe passage en version 6 de HP Web jetAdmin supprime cette vuln\u00e9rabilit\u00e9\nmais une autre faille a \u00e9t\u00e9 d\u00e9couverte : gr\u00e2ce \u00e0 une URL mal form\u00e9e un\nutilisateur distant peut entra\u00eener un d\u00e9ni de service sur la machine\nh\u00e9bergeant HP Web JetAdmin.\n\n## 4.2 Solution temporaire\n\nDans le gestionnaire de l\u0027application, n\u0027autoriser l\u0027acc\u00e8s que sur des\nadresses IP de machines reconnues s\u00fbres.\n\nEditeur Inform\u00e9 : Un correctif est en cours de r\u00e9alisation.\n",
  "cves": [],
  "links": [],
  "reference": "CERTA-2000-AVI-003",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2000-05-29T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Acc\u00e8s aux donn\u00e9es"
    },
    {
      "description": "Contournement des r\u00e8gles de s\u00e9curit\u00e9"
    }
  ],
  "summary": null,
  "title": "Vuln\u00e9rabilit\u00e9 sous HP Web JetAdmin Version 5.6 et ant\u00e9rieures",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "CERT HP",
      "url": null
    },
    {
      "published_at": null,
      "title": "ussrback",
      "url": null
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.