Bird_banner_small4
Dell Storage Manager EmWebsiteServlet Directory Traversal
TSL ID TSL20170802-08
CVE ID(s) CVE-2017-10949
Severity High
Description

An information disclosure vulnerability has been reported in the Dell Storage Manager. The vulnerability is due to an input validation error in doGet() method of the EmWebsiteServlet servlet.

A remote, unauthenticated attacker could exploit the vulnerability by sending crafted packets to the target system. Successful exploitation could result in the disclosure of arbitrary file contents within the web directory of the target system with SYSTEM privileges.

The vendor, Dell, has released an advisory and an updated version of the software:

http://topics-cdn.dell.com/pdf/dell-compellent-sc8000_release%20notes24_en-us.pdf

Affected Products
  • Dell Storage Manager prior to 7.2.11
CVSS Score Base 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N):
  • Access vector is NETWORK
  • Access complexity is LOW
  • Level of authentication required is NONE
  • Impact of this vulnerability on data confidentiality is PARTIAL
  • Impact of this vulnerability on data integrity is NONE
  • Impact of this vulnerability on data availability is NONE
Temporal 3.7 (E:U/RL:OF/RC:C):
  • The exploitability level of this vulnerability is UNPROVEN
  • The remediation level of this vulnerability is OFFICIAL FIX
  • The report confidence level of this vulnerability is CONFIRMED
Identifiers
ZDI
References http://topics-cdn.dell.com/pdf/dell-compellent-sc8000_release%20notes24_en-us.pdf
Related Threats