Novell is now a part of Micro Focus

My Favorites

Close

Please to see your favorites.

Vibe Arbitrary File Download (CVE-2017-7433)

This document (7019005) is provided subject to the disclaimer at the end of this document.

Environment

Micro Focus Vibe 4.0.2 (and earlier)

Situation

An absolute path traversal vulnerability (CWE-36) in Micro Focus Vibe 4.0.2 and earlier allows a remote authenticated attacker to download arbitrary files from the server by submitting a specially crafted request to the viewFile endpoint. Note that the attack can be performed without authentication if Guest access is enabled (Guest access is disabled by default).

Resolution

A fix for this issue is available in Micro Focus Vibe 4.0.3.

Additional Information

CVE-2017-7433 (More details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7433)

Special thanks to Kacper Szurek (https://security.szurek.pl/) for reporting this issue.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7019005
  • Creation Date:17-MAY-17
  • Modified Date:17-MAY-17
    • NovellVibe

Did this document solve your problem? Provide Feedback