SB2023062939 - Multiple vulnerabilities in Arcserve UDP

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023062939

SB2023062939 - Multiple vulnerabilities in Arcserve UDP

Published: June 29, 2023 Updated: June 21, 2024

Security Bulletin ID SB2023062939
Severity
High
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 20% Medium 80%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Incorrect Regular Expression (CVE-ID: CVE-2022-22950)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due improper input validation when processing SpEL expressions. A remote attacker can send a specially crafted HTTP request to the affected application and perform a denial of service (DoS) attack.


2) Input validation error (CVE-ID: CVE-2022-22970)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within the Spring MVC or Spring WebFlux applications. A remote user can pass specially crafted input to the application and perform a denial of service (DoS) attack.


3) Input validation error (CVE-ID: CVE-2022-22971)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within the Spring application with a STOMP over WebSocket endpoint. A remote user can pass specially crafted input to the application and perform a denial of service (DoS) attack.


4) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2023-24998)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to Apache Commons FileUpload does not limit the number of request parts. A remote attacker can initiate a series of uploads and perform a denial of service (DoS) attack.


5) Improper authentication (CVE-ID: CVE-2023-26258)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to a logic error in the authentication process. A remote attacker can bypass authentication and gain unauthorized access to the application.


Remediation

Install update from vendor's website.

References