SB2024051624 - Multiple vulnerabilities in Arcserve Unified Data Protection

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024051624

SB2024051624 - Multiple vulnerabilities in Arcserve Unified Data Protection

Published: May 16, 2024

Security Bulletin ID SB2024051624
Severity
High
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 33% Medium 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Improper Authentication (CVE-ID: CVE-2024-0799)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in when processing authentication requests in the edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.EdgeLoginServiceImpl.doLogin() function within wizardLogin. A remote attacker can bypass authentication process and gain unauthorized access to the application.


2) Path traversal (CVE-ID: CVE-2024-0800)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.servlet.ImportNodeServlet. A remote user can send a specially crafted HTTP request and upload arbitrary files on the system.


3) Input validation error (CVE-ID: CVE-2024-0801)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in ASNative.dll. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References