PT-2023-7490 · Asustor · Asustor Data Master
Stéphane Chauveau
·
Published
2023-08-22
·
Updated
2023-11-29
·
CVE-2023-4475
CVSS v3.1
7.5
High
| Vector | AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
ASUSTOR Data Master (ADM) versions 4.0.6.RIS1 and below
ASUSTOR Data Master (ADM) versions 4.1.0 and below
ASUSTOR Data Master (ADM) versions 4.2.2.RI61 and below
Description
An Arbitrary File Movement issue was found in ASUSTOR Data Master (ADM), allowing an attacker to exploit the file renaming feature and move files to unintended directories. The vulnerability is related to the use of files and directories accessible to external parties, which can be exploited by an attacker to move arbitrary files.
Recommendations
For ASUSTOR Data Master (ADM) versions 4.0.6.RIS1 and below, consider restricting access to the file renaming feature until a patch is available.
For ASUSTOR Data Master (ADM) versions 4.1.0 and below, avoid using the file renaming feature in sensitive directories.
For ASUSTOR Data Master (ADM) versions 4.2.2.RI61 and below, limit the use of external files and directories to minimize the risk of exploitation.
As a temporary workaround, consider disabling the file renaming feature until a patch is available.
Fix
Files Accessible to External Parties
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Asustor Data Master