CVE-2016-4360

Name of the Vulnerable Software and Affected Versions HPE LoadRunner versions 11.52 through patch 3 HPE LoadRunner versions 12.00 through patch 1 HPE LoadRunner versions 12.01 through patch 3 HPE LoadRunner versions 12.02 through patch 2 HPE LoadRunner versions 12.50 through patch 3 Performance Center versions 11.52 through patch 3 Performance Center versions 12.00 through patch 1 Performance Center versions 12.01 through patch 3 Performance Center versions 12.20 through patch 2 Performance Center versions 12.50 through patch 1

Description The issue is related to the Performance Center Virtual Table Server (VTS) component in HPE LoadRunner, where the web/admin/data.js file does not restrict file paths sent to an unlink call. This allows remote attackers to delete arbitrary files via the path parameter to "data/import csv".

Recommendations For HPE LoadRunner versions 11.52 through patch 3, update to a version after patch 3. For HPE LoadRunner versions 12.00 through patch 1, update to a version after patch 1. For HPE LoadRunner versions 12.01 through patch 3, update to a version after patch 3. For HPE LoadRunner versions 12.02 through patch 2, update to a version after patch 2. For HPE LoadRunner versions 12.50 through patch 3, update to a version after patch 3. For Performance Center versions 11.52 through patch 3, update to a version after patch 3. For Performance Center versions 12.00 through patch 1, update to a version after patch 1. For Performance Center versions 12.01 through patch 3, update to a version after patch 3. For Performance Center versions 12.20 through patch 2, update to a version after patch 2. For Performance Center versions 12.50 through patch 1, update to a version after patch 1. As a temporary workaround, consider restricting access to the "data/import csv" endpoint until a patch is available.