CVE-2019-12270

Name of the Vulnerable Software and Affected Versions OpenText Brava! Enterprise and Brava! Server versions 7.5 through 16.4

Description The issue concerns excessive permissions configured by default on Windows for OpenText Brava! Enterprise and Brava! Server. During installation, a displaylistcache file share is created with full read and write permissions for the Everyone group at both the NTFS and Share levels. This share is used for retrieving and storing documents. However, the required share level access is only read/write by the JobProcessor service account, and at the local filesystem level, the additional required permissions are read/write from the servlet engine, such as Tomcat.

Recommendations For versions 7.5 through 16.4, restrict the displaylistcache file share permissions to only allow read/write access for the JobProcessor service account and the servlet engine, such as Tomcat, to minimize the risk of exploitation.