| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <201209211631.q8LGVJwB028370@sf01web2.securityfocus.com> Date: Fri, 21 Sep 2012 16:31:19 GMT From: ddivulnalert@...frontline.com To: bugtraq@...urityfocus.com Subject: DDIVRT-2012-42 Novell GroupWise Agents Arbitrary File Retrieval (CVE-2012-0419) Title ----- DDIVRT-2012-42 Novell GroupWise Agents Arbitrary File Retrieval (CVE-2012-0419) Severity -------- High Date Discovered --------------- April 2, 2012 Discovered By ------------- Digital Defense, Inc. Vulnerability Research Team Credit: r@...$ Vulnerability Description ------------------------- The HTTP interfaces for Novell GroupWise 8.0.2 Post Office Agent, Message Transfer Agent, and GroupWise Internet Agent are vulnerable to an arbitrary file retrieval condition due to a failure to properly filter certain crafted directory traversal sequences. An unauthenticated remote attacker can leverage this flaw to retrieve files with the privileges of the vulnerable agent. Solution Description -------------------- Novell has provided solutions for this issue in the form of GroupWise 8.0 SP3 as well as in the latest GroupWise 2012 SP1 release. http://www.novell.com/support/kb/doc.php?id=7010772 Tested Systems / Software ------------------------- Novell GroupWise 8.0.2 Post Office Agent Novell GroupWise 8.0.2 Message Transfer Agent Novell GroupWise 8.0.2 GroupWise Internet Agent Vendor Contact -------------- Vendor Name: Novell Vendor Website: http://www.novell.com/
Powered by blists - more mailing lists