CVE-2020-27858

Name of the Vulnerable Software and Affected Versions CA Arcserve D2D version 16.5

Description This issue allows remote attackers to disclose sensitive information on affected installations. Authentication is not required to exploit this issue. The specific flaw exists within the getNews method, where improper restriction of XML External Entity (XXE) references allows a specially-crafted document to cause the XML parser to access a specified URI and embed its contents back into the XML document. This can be leveraged to disclose information in the context of SYSTEM.

Recommendations For CA Arcserve D2D version 16.5, as a temporary workaround, consider disabling the getNews method until a patch is available. Restrict access to the XML parser to minimize the risk of exploitation. Avoid using XXE references in the affected XML documents until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.