PT-2018-8511 · Parallels · Parallels Remote Application Server

Published

2018-02-28

Updated

2018-03-23

CVE-2017-9447

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Parallels Remote Application Server (RAS) version 15.5 Build 16140

Description A vulnerability exists in the web interface due to improper validation of the file path when requesting a resource under the "RASHTML5Gateway" directory. This allows a remote, unauthenticated attacker to exploit the weakness and read arbitrary files from the vulnerable system using path traversal sequences.

Recommendations For Parallels Remote Application Server (RAS) version 15.5 Build 16140, consider restricting access to the "RASHTML5Gateway" directory until a patch is available. As a temporary workaround, limit the ability to request resources under this directory to prevent path traversal attacks.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2017-9447

Affected Products

Parallels Remote Application Server

PT-2018-8511 · Parallels · Parallels Remote Application Server

CVE-2017-9447

Weakness Enumeration

Related Identifiers

Affected Products

References · 4