PT-2013-5211 · Hewlett Packard · Hp Procurve Manager+2
Andrea Micalizzi
+1
·
Published
2013-09-11
·
Updated
2025-04-22
·
CVE-2013-4812
CVSS v2.0
10
High
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
HP ProCurve Manager versions 3.20 through 4.0
HP PCM+ versions 3.20 through 4.0
Identity Driven Manager version 4.0
Description
The issue concerns the UpdateCertificatesServlet in the SNAC registration server, which fails to properly validate the
fileName argument. This allows remote attackers to upload .jsp files, resulting in the execution of arbitrary code.Recommendations
For HP ProCurve Manager versions 3.20 through 4.0, consider disabling the UpdateCertificatesServlet until a patch is available.
For HP PCM+ versions 3.20 through 4.0, restrict access to the UpdateCertificatesServlet to minimize the risk of exploitation.
For Identity Driven Manager version 4.0, avoid using the
fileName argument in the affected servlet until the issue is resolved.Exploit
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Hp Pcm+
Hp Procurve Manager
Identity Driven Manager