PT-2015-7630 · Lenovo+1 · Lenovo Switch Center+1
Andrea Micalizzi
+1
·
Published
2015-11-10
·
Updated
2015-11-12
·
CVE-2015-7820
CVSS v2.0
7.1
High
| Vector | AV:N/AC:M/Au:N/C:C/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
IBM System Networking Switch Center versions prior to 7.3.1.5
Lenovo Switch Center versions prior to 8.1.2.0
Description
A race condition in the administration-panel web service allows remote attackers to obtain privileged-account access. This access can be used to provide input containing directory traversal sequences to read arbitrary files via a request. The issue is related to the ZipDownload.jsp file.
Recommendations
For IBM System Networking Switch Center versions prior to 7.3.1.5, update to version 7.3.1.5 or later.
For Lenovo Switch Center versions prior to 8.1.2.0, update to version 8.1.2.0 or later.
As a temporary workaround, consider restricting access to the administration-panel web service and the ZipDownload.jsp file to minimize the risk of exploitation.
Fix
Race Condition
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ibm System Networking Switch Center
Lenovo Switch Center