PT-2019-18122 · Axway · Axway File Transfer Direct

Published

2019-01-21

Updated

2019-02-08

CVE-2019-6500

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Axway File Transfer Direct version 2.7.1

Description The issue allows for an unauthenticated Directory Traversal by issuing a specially crafted HTTP GET request. This can be achieved by using %2e instead of '.' characters in the request, as shown in an example with the substring /h2hdocumentation//%2e%2e/.

Recommendations For Axway File Transfer Direct version 2.7.1, consider restricting access to the HTTP GET request endpoint to minimize the risk of exploitation until a patch is available. As a temporary workaround, avoid using the %2e character in requests to prevent potential directory traversal attacks.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2019-6500

Affected Products

Axway File Transfer Direct

PT-2019-18122 · Axway · Axway File Transfer Direct

CVE-2019-6500

Weakness Enumeration

Related Identifiers

Affected Products

References · 4