Service Desk Vulnerability in the Access Control Enforcement of the File Download Functionality (CVE-2016-1594)

Document ID:7017429
Creation Date:30-Mar-2016
Modified Date:04-Apr-2016
- Micro Focus Products:
  Service Desk

Environment

Novell Service Desk 7.0.3
Novell Service Desk 7.1

Situation

There was a vulnerability in the access control enforcement of the file download functionality that may have allowed a remote attacker authenticated as a non-privileged user to read arbitrary file attachments from other users in the system.

This has been reported as CVE-2016-1594.

Resolution

This has been fixed in Micro Focus Service Desk 7.2.

Additional Information

Thanks to Pedro Ribeiro (pedrib@gmail.com) from Agile Information Security for discovering and reporting this vulnerability.