SB2017070611 - Information disclosure in EMC Data Protection Advisor

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2017070611

SB2017070611 - Information disclosure in EMC Data Protection Advisor

Published: July 10, 2017

Security Bulletin ID SB2017070611
Severity
Low
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) SQL injection (CVE-ID: CVE-2017-8002)

The vulnerability allows a remote authenticated attacker to execute SQL commands on the target system.

The weakness exists within the EMC DPA Application service, which listens on TCP port 9002 by default due to improper input validation. A remote attacker can supply a specially crafted parameter value to execute SQL commands on the underlying database and obtain information about the application.

Successful exploitation of the vulnerability results in information disclosure.

2) Path traversal (CVE-ID: CVE-2017-8003)

The vulnerability allows a remote authenticated high privileged attacker to obtain potentially sensitive information.

The weakness exists due to improper input validation. A remote attacker can supply specially crafted stings in input parameters, trigger path traversal and read important information on the underlying operating system.

Successful exploitation of the vulnerability results in information disclosure.

Remediation

Install update from vendor's website.

References