CVE-2019-6500

Name of the Vulnerable Software and Affected Versions Axway File Transfer Direct version 2.7.1

Description The issue allows for an unauthenticated Directory Traversal by issuing a specially crafted HTTP GET request. This can be achieved by using %2e instead of '.' characters in the request, as shown in an example with the substring /h2hdocumentation//%2e%2e/.

Recommendations For Axway File Transfer Direct version 2.7.1, consider restricting access to the HTTP GET request endpoint to minimize the risk of exploitation until a patch is available. As a temporary workaround, avoid using the %2e character in requests to prevent potential directory traversal attacks.