Novell is now a part of Micro Focus

My Favorites


Please to see your favorites.

ZCM PreBoot Service Information Disclosure Vulnerability - CVE-2013-3706

This document (7014663) is provided subject to the disclaimer at the end of this document.


Novell ZENworks Configuration Management 11.2


A vulnerability has been identified with ZCM. 
First, the relative path passed into the function is appended to the base path. That base path contains both 'preboot' and 'update', meaning that the additional checks can never fail. Second, there is no guard against the path traversal using '..' in the path. Together, these issues mean that arbitrary file download is possible without credentials.


 This is fixed in version 11.3 - see TID 7014213 "ZENworks Configuration Management 11.3 - update information and list of fixes" which can be found at
Direct Download:


Security Alert

Additional Information

This vulnerability has been assigned the identifier CVE-2013-3706 by the CVE database
This vulnerability was discovered by:Mak Kolybabi and Provided by HP's Zero Day Initiative:


This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7014663
  • Creation Date:28-FEB-14
  • Modified Date:10-MAR-14
    • NovellZENworks Configuration Management

Did this document solve your problem? Provide Feedback