certfr_avis - certa-2005-avi-330

CERTA-2005-AVI-330

Vulnerability from certfr_avis

Une vulnérabilité de type "traversée d'arborescence", découverte dans l'application 3Com Network Supervisor permet à un utilisateur mal intentionné, présent sur le réseau local, de porter atteinte à la confidentialité des données.

Description

3Com Network Supervisor et Director sont des outils d'administration réseau.

La vulnérabilité est causée par une erreur dans le traitement des requêtes HTTP destinées au serveur Web interne. Une personne malveillante peut, au moyen de requêtes HTTP malicieusement constituées, à destination du 21700/tcp, porter atteinte à la confidentialité des donnée hors de la racine du serveur web.

Solution

Se référer à la section Documentation pour l'obtention des correctifs.

None

Impacted products

Vendor	Product	Description
N/A	N/A	3Com Network Supervisor 5.x.
N/A	N/A	3Com Network Director 2.x ;
N/A	N/A	3Com Network Director 1.x ;

References

Title

Publication Time

Tags

Bulletin de sécurité iDEFENSE #300 du 01 septembre 2005	None	vendor-advisory
Mise à jour ``3Com Network Director 1.0 Critical Update 1'' pour version initiale et Service Pack 1 :	-	other
Site Internet de l'éditeur :	-	other
Mise à jour ``3Com Network Supervisor 5.1 Critical Update 1'' : http://support.3com.com/software/3Com_network_supervisor_v5_1_cu1.exe	-	other
Mise à jour ``3Com Network Director 1.0 Critical Update 1'' pour Service Pack 2 & 3 :	-	other
Mise à jour ``3Com Network Director 2.0 Critical Update 1'' :	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "3Com Network Supervisor 5.x.",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    },
    {
      "description": "3Com Network Director 2.x ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    },
    {
      "description": "3Com Network Director 1.x ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Description\n\n3Com Network Supervisor et Director sont des outils d\u0027administration\nr\u00e9seau.\n\nLa vuln\u00e9rabilit\u00e9 est caus\u00e9e par une erreur dans le traitement des\nrequ\u00eates HTTP destin\u00e9es au serveur Web interne. Une personne\nmalveillante peut, au moyen de requ\u00eates HTTP malicieusement constitu\u00e9es,\n\u00e0 destination du 21700/tcp, porter atteinte \u00e0 la confidentialit\u00e9 des\ndonn\u00e9e hors de la racine du serveur web.\n\n## Solution\n\nSe r\u00e9f\u00e9rer \u00e0 la section Documentation pour l\u0027obtention des correctifs.\n",
  "cves": [],
  "initial_release_date": "2005-09-05T00:00:00",
  "last_revision_date": "2005-09-05T00:00:00",
  "links": [
    {
      "title": "Mise \u00e0 jour ``3Com Network Director 1.0 Critical Update 1\u0027\u0027    pour version initiale et Service Pack 1 :",
      "url": "http://support.3com.com/software/3Com_network_director_v1_0_sp0_1_cu1.exe"
    },
    {
      "title": "Site Internet de l\u0027\u00e9diteur :",
      "url": "http://www.3com.fr"
    },
    {
      "title": "Mise \u00e0 jour ``3Com Network Supervisor 5.1 Critical Update    1\u0027\u0027 :      http://support.3com.com/software/3Com_network_supervisor_v5_1_cu1.exe",
      "url": "http://support.3com.com/software/3Com_network_director_v5_1_cu1.exe"
    },
    {
      "title": "Mise \u00e0 jour ``3Com Network Director 1.0 Critical Update 1\u0027\u0027    pour Service Pack 2 \u0026 3 :",
      "url": "http://support.3com.com/software/3Com_network_director_v1_0_sp2_3_cu1.exe"
    },
    {
      "title": "Mise \u00e0 jour ``3Com Network Director 2.0 Critical Update 1\u0027\u0027    :",
      "url": "http://support.3com.com/software/3Com_network_director_v2_0_cu1.exe"
    }
  ],
  "reference": "CERTA-2005-AVI-330",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2005-09-05T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 de type \"travers\u00e9e d\u0027arborescence\", d\u00e9couverte dans\nl\u0027application 3Com Network Supervisor permet \u00e0 un utilisateur mal\nintentionn\u00e9, pr\u00e9sent sur le r\u00e9seau local, de porter atteinte \u00e0 la\nconfidentialit\u00e9 des donn\u00e9es.\n",
  "title": "Vuln\u00e9rabilit\u00e9 de 3Com Network Supervisor",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 iDEFENSE #300 du 01 septembre 2005",
      "url": "http://www.idefense.com/application/poi/display?id=300"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted