CVE-2023-42000

Name of the Vulnerable Software and Affected Versions Arcserve UDP versions prior to 9.2

Description The issue allows an unauthenticated remote attacker to exploit a path traversal vulnerability in the com.ca.arcflash.ui.server.servlet.FileHandlingServlet.doUpload() function to upload arbitrary files to any location on the file system where the UDP agent is installed.

Recommendations For versions prior to 9.2, update to version 9.2 or later to resolve the issue. As a temporary workaround, consider disabling the doUpload() function in FileHandlingServlet until a patch is available. Restrict access to the FileHandlingServlet to minimize the risk of exploitation.