CERTA-2000-AVI-003
Vulnerability from certfr_avis

None

Description

Par le biais d'une URL construite astucieusement, un utilisateur mal intentionné peu avoir accès à certains fichiers présents sur le serveur équipé de HP Web JetAdmin.

Solution

4.1 Passage en version 6

Le passage en version 6 de HP Web jetAdmin supprime cette vulnérabilité mais une autre faille a été découverte : grâce à une URL mal formée un utilisateur distant peut entraîner un déni de service sur la machine hébergeant HP Web JetAdmin.

4.2 Solution temporaire

Dans le gestionnaire de l'application, n'autoriser l'accès que sur des adresses IP de machines reconnues sûres.

Editeur Informé : Un correctif est en cours de réalisation.

None
Impacted products
Vendor Product Description
Centreon Web HP Web JetAdmin Version 5.6 (Microsoft Windows 2000)
Centreon Web HP Web JetAdmin Version 5.6 (Red Hat Linux)
Centreon Web HP Web JetAdmin Version 5.6 (Solaris)
Centreon Web HP Web JetAdmin Version 5.6 (Linux - SuSe)
Centreon Web HP Web JetAdmin Version 5.6 (Novell Netware)
Centreon Web HP Web JetAdmin Version 5.6 (HP-UX 11.x)
Centreon Web HP Web JetAdmin Version 5.6 (HP-UX 10.20)
Centreon Web HP Web JetAdmin Version 5.6 (Microsoft Windows NT 4.0) (Testé par CERTA)
References
CERT HP None vendor-advisory
ussrback None vendor-advisory

Show details on source website

To clipboard 

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "HP Web JetAdmin Version 5.6 (Microsoft Windows 2000)",
      "product": {
        "name": "Web",
        "vendor": {
          "name": "Centreon",
          "scada": false
        }
      }
    },
    {
      "description": "HP Web JetAdmin Version 5.6 (Red Hat Linux)",
      "product": {
        "name": "Web",
        "vendor": {
          "name": "Centreon",
          "scada": false
        }
      }
    },
    {
      "description": "HP Web JetAdmin Version 5.6 (Solaris)",
      "product": {
        "name": "Web",
        "vendor": {
          "name": "Centreon",
          "scada": false
        }
      }
    },
    {
      "description": "HP Web JetAdmin Version 5.6 (Linux - SuSe)",
      "product": {
        "name": "Web",
        "vendor": {
          "name": "Centreon",
          "scada": false
        }
      }
    },
    {
      "description": "HP Web JetAdmin Version 5.6 (Novell Netware)",
      "product": {
        "name": "Web",
        "vendor": {
          "name": "Centreon",
          "scada": false
        }
      }
    },
    {
      "description": "HP Web JetAdmin Version 5.6 (HP-UX 11.x)",
      "product": {
        "name": "Web",
        "vendor": {
          "name": "Centreon",
          "scada": false
        }
      }
    },
    {
      "description": "HP Web JetAdmin Version 5.6 (HP-UX 10.20)",
      "product": {
        "name": "Web",
        "vendor": {
          "name": "Centreon",
          "scada": false
        }
      }
    },
    {
      "description": "HP Web JetAdmin Version 5.6 (Microsoft Windows NT 4.0) (Test\u00e9 par CERTA)",
      "product": {
        "name": "Web",
        "vendor": {
          "name": "Centreon",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Description\n\nPar le biais d\u0027une URL construite astucieusement, un utilisateur mal\nintentionn\u00e9 peu avoir acc\u00e8s \u00e0 certains fichiers pr\u00e9sents sur le serveur\n\u00e9quip\u00e9 de HP Web JetAdmin.\n\n## Solution\n\n## 4.1 Passage en version 6\n\nLe passage en version 6 de HP Web jetAdmin supprime cette vuln\u00e9rabilit\u00e9\nmais une autre faille a \u00e9t\u00e9 d\u00e9couverte : gr\u00e2ce \u00e0 une URL mal form\u00e9e un\nutilisateur distant peut entra\u00eener un d\u00e9ni de service sur la machine\nh\u00e9bergeant HP Web JetAdmin.\n\n## 4.2 Solution temporaire\n\nDans le gestionnaire de l\u0027application, n\u0027autoriser l\u0027acc\u00e8s que sur des\nadresses IP de machines reconnues s\u00fbres.\n\nEditeur Inform\u00e9 : Un correctif est en cours de r\u00e9alisation.\n",
  "cves": [],
  "initial_release_date": "2000-05-29T00:00:00",
  "last_revision_date": "2000-05-29T00:00:00",
  "links": [],
  "reference": "CERTA-2000-AVI-003",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2000-05-29T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Acc\u00e8s aux donn\u00e9es"
    },
    {
      "description": "Contournement des r\u00e8gles de s\u00e9curit\u00e9"
    }
  ],
  "summary": null,
  "title": "Vuln\u00e9rabilit\u00e9 sous HP Web JetAdmin Version 5.6 et ant\u00e9rieures",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "CERT HP",
      "url": null
    },
    {
      "published_at": null,
      "title": "ussrback",
      "url": null
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.