Remote code execution in HPE Intelligent Management Center

Published: 2017-10-31 15:48:03
Severity High
Patch available YES
Number of vulnerabilities 1
CVSSv2 6.7 (AV:N/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C)
CVSSv3 8.6 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE ID CVE-2017-8961
CWE ID CWE-22
Exploitation vector Network
Public exploit Not available
Vulnerable software HP Intelligent Management Center
Vulnerable software versions HP Intelligent Management Center 7.3
HP Intelligent Management Center 7.2
HP Intelligent Management Center 7.0
Show more
Vendor URL Hewlett Packard Enterprise Development LP
Advisory type Public

Security Advisory

1) Directory traversal

Description

The vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.

The weakness exists in HPE Intelligent Management Center due to a directory traversal flaw in flexFileUpload. A remote attacker can execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Remediation

Update to version 7.3 E0506P03.

External links

https://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03788en_us

Back to List