HPE Intelligent Management Center UrlAccessController Authentication Bypass
TSL ID TSL20170313-05
CVE ID(s) CVE-2017-5791
Severity High

An authentication bypass vulnerability has been reported in HPE Intelligent Management Center. The vulnerability is due to errors in handling specific strings contained in the request URI.

A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted request to the target system. Successful exploitation allows an attacker to bypass authentication requirements on a target URI which can be leveraged to perform further attacks.

The vendor, HPE, has released the following advisory regarding this vulnerability:

Affected Products
  • HP Intelligent Management Center 7.2 E0403P06
CVSS Score Base 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N):
  • Access vector is NETWORK
  • Access complexity is LOW
  • Level of authentication required is NONE
  • Impact of this vulnerability on data confidentiality is PARTIAL
  • Impact of this vulnerability on data integrity is PARTIAL
  • Impact of this vulnerability on data availability is NONE
Temporal 4.7 (E:U/RL:OF/RC:C):
  • The exploitability level of this vulnerability is UNPROVEN
  • The remediation level of this vulnerability is OFFICIAL FIX
  • The report confidence level of this vulnerability is CONFIRMED
Related Threats TSL20170331-03 - HPE Intelligent Management Center FileDownloadServlet fileName Directory Traversal
TSL20170313-06 - HPE Intelligent Management Center FileUploadServlet Directory Traversal