Detections
Analytics
ManageEngine NetFlow Analyzer Multiple Path Traversal and File Access
medium Nessus Plugin ID 81821
Language:
Synopsis
The remote web server is affected by directory traversal vulnerabilities.Description
ManageEngine NetFlow Analyzer prior to version 10 build 10250 is affected by the following directory traversal vulnerabilities :- User input to the 'schFilePath' parameter to CVSServlet or CReportPDFServlet is not properly sanitized. A remote attacker, using a specially crafted request, can exploit this to gain access to files outside of a restricted path. (CVE-2014-5445)
- User input to the 'filename' parameter to servlet DisplayChartPDF is not properly sanitized. A remote attacker, using a specially crafted request, can exploit this to gain access to files outside of a restricted path. (CVE-2014-5446)
Solution
Update to version 10 build 10250 or later.See Also
http://www.nessus.org/u?9899d210
https://www.manageengine.com/products/netflow/service-packs.html
Plugin Details
Severity: Medium
ID: 81821
File Name: manageengine_netflow_CVE-2014-5446.nasl
Version: 1.9
Type: remote
Family: CGI abuses
Published: 3/16/2015
Updated: 4/11/2022
Configuration: Enable thorough checks
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 4.4
CVSS v2
Risk Factor: Medium
Base Score: 5
Temporal Score: 4.5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
Vulnerability Information
CPE: cpe:/a:manageengine:netflow_analyzer
Required KB Items: installed_sw/ManageEngine NetFlow Analyzer
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 1/23/2015
Vulnerability Publication Date: 11/30/2014
Reference Information
CVE: CVE-2014-5445, CVE-2014-5446
BID: 71404