PT-2021-20211 · Cleo · Cleo Lexicom

Stephen Breen

Published

2021-06-18

Updated

2021-06-22

CVE-2021-33576

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Cleo LexiCom version 5.5.0.0

Description An issue was discovered in Cleo LexiCom where the sender can specify a filename within the AS2 message. This filename can include path-traversal characters, allowing the file to be written to an arbitrary location on disk.

Recommendations For Cleo LexiCom version 5.5.0.0, as a temporary workaround, consider restricting the ability for senders to specify filenames within AS2 messages until a patch is available. Additionally, restrict access to sensitive directories to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2021-33576

Affected Products

Cleo Lexicom

PT-2021-20211 · Cleo · Cleo Lexicom

CVE-2021-33576

Weakness Enumeration

Related Identifiers

Affected Products

References · 8