Vulnerability-Lookup

CNVD-2017-10569

Vulnerability from cnvd - Published: 2017-06-21

Title

Micro Focus Vibe目录遍历漏洞

Description

Micro Focus Vibe将用户工作所需内容汇总起来。Vibe 支持无缝和安全访问。Vibe 移动应用程序可安全储存一个或多个 Vibe 站点的登录凭证，因此用户可以轻松快速地连接到 Vibe 站点。 Micro Focus Vibe存在目录遍历漏洞。远程攻击者可以利用该漏洞通过特制的请求从服务器下载任意文件，未经认证执行未授权操作。

Severity

中

Patch Name

Micro Focus Vibe目录遍历漏洞的补丁

Patch Description

Formal description

用户可参考如下厂商提供的安全补丁以修复该漏洞： https://www.novell.com/support/kb/doc.php?id=7019005

Reference

https://cxsecurity.com/cveshow/CVE-2017-7433/

Impacted products

Name
Micro Focus Vibe <=4.0.2

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-7433",
      "cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7433"
    }
  },
  "description": "Micro Focus Vibe\u5c06\u7528\u6237\u5de5\u4f5c\u6240\u9700\u5185\u5bb9\u6c47\u603b\u8d77\u6765\u3002Vibe \u652f\u6301\u65e0\u7f1d\u548c\u5b89\u5168\u8bbf\u95ee\u3002Vibe \u79fb\u52a8\u5e94\u7528\u7a0b\u5e8f\u53ef\u5b89\u5168\u50a8\u5b58\u4e00\u4e2a\u6216\u591a\u4e2a Vibe \u7ad9\u70b9\u7684\u767b\u5f55\u51ed\u8bc1\uff0c\u56e0\u6b64\u7528\u6237\u53ef\u4ee5\u8f7b\u677e\u5feb\u901f\u5730\u8fde\u63a5\u5230 Vibe \u7ad9\u70b9\u3002\r\n\r\nMicro Focus Vibe\u5b58\u5728\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u7279\u5236\u7684\u8bf7\u6c42\u4ece\u670d\u52a1\u5668\u4e0b\u8f7d\u4efb\u610f\u6587\u4ef6\uff0c\u672a\u7ecf\u8ba4\u8bc1\u6267\u884c\u672a\u6388\u6743\u64cd\u4f5c\u3002",
  "discovererName": "unknown",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5382\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u8865\u4e01\u4ee5\u4fee\u590d\u8be5\u6f0f\u6d1e\uff1a\r\nhttps://www.novell.com/support/kb/doc.php?id=7019005",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-10569",
  "openTime": "2017-06-21",
  "patchDescription": "Micro Focus Vibe\u5c06\u7528\u6237\u5de5\u4f5c\u6240\u9700\u5185\u5bb9\u6c47\u603b\u8d77\u6765\u3002Vibe \u652f\u6301\u65e0\u7f1d\u548c\u5b89\u5168\u8bbf\u95ee\u3002Vibe \u79fb\u52a8\u5e94\u7528\u7a0b\u5e8f\u53ef\u5b89\u5168\u50a8\u5b58\u4e00\u4e2a\u6216\u591a\u4e2a Vibe \u7ad9\u70b9\u7684\u767b\u5f55\u51ed\u8bc1\uff0c\u56e0\u6b64\u7528\u6237\u53ef\u4ee5\u8f7b\u677e\u5feb\u901f\u5730\u8fde\u63a5\u5230 Vibe \u7ad9\u70b9\u3002\r\n\r\nMicro Focus Vibe\u5b58\u5728\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u7279\u5236\u7684\u8bf7\u6c42\u4ece\u670d\u52a1\u5668\u4e0b\u8f7d\u4efb\u610f\u6587\u4ef6\uff0c\u672a\u7ecf\u8ba4\u8bc1\u6267\u884c\u672a\u6388\u6743\u64cd\u4f5c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Micro Focus Vibe\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Micro Focus Vibe \u003c=4.0.2"
  },
  "referenceLink": "https://cxsecurity.com/cveshow/CVE-2017-7433/",
  "serverity": "\u4e2d",
  "submitTime": "2017-05-24",
  "title": "Micro Focus Vibe\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e"
}

CVE-2017-7433 (GCVE-0-2017-7433)

Vulnerability from cvelistv5 – Published: 2017-05-18 14:00 – Updated: 2024-08-05 16:04

Summary

An absolute path traversal vulnerability (CWE-36) in Micro Focus Vibe 4.0.2 and earlier allows a remote authenticated attacker to download arbitrary files from the server by submitting a specially crafted request to the viewFile endpoint. Note that the attack can be performed without authentication if Guest access is enabled (Guest access is disabled by default).

Severity

No CVSS data available.

CWE

Arbitrary file download

Assigner

microfocus

References

1 reference

URL	Tags
https://www.novell.com/support/kb/doc.php?id=7019005	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
Micro Focus	Vibe	Affected: 4.0.2 and earlier

Date Public

2017-05-17 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T16:04:11.272Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.novell.com/support/kb/doc.php?id=7019005"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Vibe",
          "vendor": "Micro Focus",
          "versions": [
            {
              "status": "affected",
              "version": "4.0.2 and earlier"
            }
          ]
        }
      ],
      "datePublic": "2017-05-17T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "An absolute path traversal vulnerability (CWE-36) in Micro Focus Vibe 4.0.2 and earlier allows a remote authenticated attacker to download arbitrary files from the server by submitting a specially crafted request to the viewFile endpoint. Note that the attack can be performed without authentication if Guest access is enabled (Guest access is disabled by default)."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Arbitrary file download",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-01-06T16:16:06.000Z",
        "orgId": "f81092c5-7f14-476d-80dc-24857f90be84",
        "shortName": "microfocus"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.novell.com/support/kb/doc.php?id=7019005"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@microfocus.com",
          "ID": "CVE-2017-7433",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Vibe",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "4.0.2 and earlier"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Micro Focus"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An absolute path traversal vulnerability (CWE-36) in Micro Focus Vibe 4.0.2 and earlier allows a remote authenticated attacker to download arbitrary files from the server by submitting a specially crafted request to the viewFile endpoint. Note that the attack can be performed without authentication if Guest access is enabled (Guest access is disabled by default)."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Arbitrary file download"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.novell.com/support/kb/doc.php?id=7019005",
              "refsource": "CONFIRM",
              "url": "https://www.novell.com/support/kb/doc.php?id=7019005"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84",
    "assignerShortName": "microfocus",
    "cveId": "CVE-2017-7433",
    "datePublished": "2017-05-18T14:00:00.000Z",
    "dateReserved": "2017-04-05T00:00:00.000Z",
    "dateUpdated": "2024-08-05T16:04:11.272Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2017-10569

CVE-2017-7433 (GCVE-0-2017-7433)

Tags

Sightings

Nomenclature