Summary
This host is running McAfee Asset Manager and is prone to directory traversal and SQL injection vulnerabilities.
Impact
Successful exploitation will allow attackers to disclose potentially sensitive information and inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data
Impact Level: Application
Solution
No solution or patch is available as of 9th February, 2015. Information regarding this issue will be updated once the solution details are available.
For updates refer to http://www.mcafeeworks.com/Asset-Manager.asp
Insight
The flaws are due to,
- The '/servlet/downloadReport' script not properly sanitizing user input, specifically path traversal style attacks supplied via the 'reportFileName' GET parameter.
- The /jsp/reports/ReportsAudit.jsp script not properly sanitizing user-supplied input to the 'user' POST parameter.
Affected
McAfee Asset Manager version 6.6
Detection
Get the installed version of McAfee Asset Manager with the help of detect NVT and check the version is vulnerable or not.
References
Severity
Classification
-
CVE CVE-2014-2587, CVE-2014-2588 -
CVSS Base Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P
Related Vulnerabilities
- Alt-N WebAdmin Remote Source Code Information Disclosure Vulnerability
- Andy's PHP Knowledgebase Multiple Cross-Site Scripting Vulnerabilities
- Apache Tomcat TroubleShooter Servlet Installed
- Advantech WebAccess Multiple Stack Based Buffer Overflow Vulnerabilities
- Apache mod_proxy_ajp Information Disclosure Vulnerability