Hillstone Networks

RULE（RULE ID：321985）

Rule General Information


Release Date:		2019-06-25

Rule Name:		Rocket Servergraph Admin Center fileRequest Arbitrary File Creation Vulnerability (CVE-2014-3914)

Severity:

CVE ID:

Rule Protection Details


Description:		Directory traversal vulnerability in the Admin Center for Tivoli Storage Manager (TSM) in Rocket ServerGraph 1.2 allows remote attackers to (1) create arbitrary files via a .. (dot dot) in the query parameter in a writeDataFile action to the fileRequestor servlet, execute arbitrary files via a .. (dot dot) in the query parameter in a (2) run or (3) runClear action to the fileRequestor servlet, (4) read arbitrary files via a readDataFile action to the fileRequestor servlet, (5) execute arbitrary code via a save_server_groups action to the userRequest servlet, or (6) delete arbitrary files via a del action in the fileRequestServlet servlet.

Impact:		An attacker could exploit this vulnerability to have unspecified effect.

Affected OS:		Windows, Linux, FreeBSD, Solaris, Other Unix, Network Device, Mac OS, iOS, Android, Others

Reference:		ExploitDB:33807 ZeroDayInitiative:ZDI-14-161 ZeroDayInitiative:ZDI-14-162 ZeroDayInitiative:ZDI-14-163

Solutions

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.