oss-sec mailing list archives
[CVE-2017-14614] GridGain Visor GUI Console - File System Path Traversal
From: Andrey Bazhenov <support () gridgain freshdesk com>
Date: Thu, 05 Oct 2017 08:54:30 +0000 (UTC)
Severity: Important Vendor: GridGain Systems Versions Affected: * GridGain 8.1.4 and earlier * GridGain 1.9.6 and earlier * GridGain 1.8.11 and earlier * GridGain 1.7.15 and earlier Impact: The vulnerability impacts GridGain Visor GUI Management Console users. Visor allows open log files of remote cluster nodes and observe them locally. To get the logs a user needs to provide a path to the files. Visor does not sanitize the path provided that might result in an unauthorized access to sensitive files. Description: Visor GUI Console uses a user-supplied input to construct a pathname to a remote directory with log files. The application does not sanitize this path and malicious application users can get an access to restricted or sensitive files stored on a server’s file system. Mitigation: Start cluster nodes under a system user that has restricted access to the file system. In addition, to make the cluster more secure consider using GridGain’s Security module setting up basic authentication and authorization parameters. Upgrade to the versions below to enable the path sanitization by default: * GridGain 8.1.5 or later * GridGain 1.9.7 or later * GridGain 1.8.12 or later * GridGain 1.7.16 or later References: * http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14614
Current thread:
- [CVE-2017-14614] GridGain Visor GUI Console - File System Path Traversal Andrey Bazhenov (Oct 05)