PT-2013-1998 · Novell · Novell Sentinel Log Manager

Piotr Chmylkowski

Published

2013-03-29

Updated

2017-10-05

CVE-2012-6534

CVSS v2.0

4.3

Medium

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions Novell Sentinel Log Manager versions prior to 1.2.0.3

Description The issue allows remote attackers to create data retention policies by sending a crafted text/x-gwt-rpc request to the "novelllogmanager/datastorageservice.rpc" API endpoint. Additionally, remote authenticated Report Administrators can create data retention policies via a "Save Query As" and then "Save As Retention Policy" action in the search results.

Recommendations For versions prior to 1.2.0.3, update to version 1.2.0.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the "novelllogmanager/datastorageservice.rpc" API endpoint and limiting the ability of Report Administrators to create data retention policies via the search results "Save Query As" and "Save As Retention Policy" action.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-264

Related Identifiers

CVE-2012-6534

Affected Products

Novell Sentinel Log Manager

PT-2013-1998 · Novell · Novell Sentinel Log Manager

CVE-2012-6534

Weakness Enumeration

Related Identifiers

Affected Products

References · 7