CVE-2016-5765

Administrative Server in Micro Focus Host Access Management and Security Server (MSS) and Reflection for the Web (RWeb) and Reflection Security Gateway (RSG) and Reflection ZFE (ZFE) allows remote unauthenticated attackers to read arbitrary files via a specially crafted URL that allows limited directory traversal. Applies to MSS 12.3 before 12.3.326 and MSS 12.2 before 12.2.342 and RSG 12.1 before 12.1.362 and RWeb 12.3 before 12.3.312 and RWeb 12.2 before 12.2.342 and RWeb 12.1 before 12.1.362 and ZFE 2.0.1 before 2.0.1.18 and ZFE 2.0.0 before 2.0.0.52 and ZFE 1.4.0 before 1.4.0.14.
Path Traversal
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
microfocusCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 73%
VendorProductVersion
microfocushost_access_management_and_security_server
12.2
microfocushost_access_management_and_security_server
12.3
microfocusreflection_for_the_web
12.1
microfocusreflection_for_the_web
12.2
microfocusreflection_for_the_web
12.3
microfocusreflection_security_gateway
12.1
microfocusreflection_zfe
1.4.0.14
microfocusreflection_zfe
2.0.0.52
microfocusreflection_zfe
2.0.1.18
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://support.attachmate.com/techdocs/1704.html
http://www.securityfocus.com/bid/94579
http://www.zerodayinitiative.com/advisories/ZDI-16-618
http://support.attachmate.com/techdocs/1704.html
http://www.securityfocus.com/bid/94579
http://www.zerodayinitiative.com/advisories/ZDI-16-618