CVE-2014-3914

Name of the Vulnerable Software and Affected Versions Rocket ServerGraph version 1.2

Description The issue allows remote attackers to create arbitrary files via a .. (dot dot) in the query parameter in a writeDataFile action to the fileRequestor servlet, execute arbitrary files via a .. (dot dot) in the query parameter in a run or runClear action to the fileRequestor servlet, read arbitrary files via a readDataFile action to the fileRequestor servlet, execute arbitrary code via a save server groups action to the userRequest servlet, or delete arbitrary files via a del action in the fileRequestServlet servlet.

Recommendations For Rocket ServerGraph version 1.2, consider disabling the fileRequestor servlet and userRequest servlet until a patch is available. Restrict access to the fileRequestServlet servlet to minimize the risk of exploitation. Avoid using the query parameter in the affected API endpoints until the issue is resolved. As a temporary workaround, consider restricting the save server groups action in the userRequest servlet to prevent arbitrary code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.