Path traversal in GigaVUE-OS

#VU49364 Path traversal in GigaVUE-OS

Published: 2020-04-29 | Updated: 2021-01-11

Vulnerability identifier: #VU49364

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-12251

CWE-ID: CWE-22

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
GigaVUE-OS
Operating systems & Components / Operating system

Vendor: Gigamon

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to insufficient sanitization of user-supplied passed in the upload functionality. A remote authenticated attacker can send a specially crafted HTTP request containing directory traversal sequences and read contents of arbitrary files on the system.

Mitigation
Install update from vendor's website.

Vulnerable software versions

GigaVUE-OS: 5.4 - 5.9

External links
http://community.gigamon.com/gigamoncp/s/article/Field-Notice-Gigamon-addressing-multiple-vulnerabilities-in-GigaVUE-OS

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Gigamon GigaVUE-OS