A vulnerability classified as problematic was found in Raz-Lee Security (version now known). This vulnerability affects some unknown processing in the library qsys.lib. The manipulation with an unknown input leads to a path traversal vulnerability. The CWE definition for the vulnerability is CWE-22. The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. As an impact it is known to affect confidentiality. CVE summarizes:

Directory traversal vulnerability in the third party tool from Raz-Lee, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via ".." sequences in a GET request.

The weakness was published 05/02/2005 by Shalom Carmel (Website). The advisory is shared for download at venera.com. This vulnerability was named CVE-2005-1239 since 04/24/2005. The exploitation appears to be easy. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1006.

The vulnerability is also documented in the vulnerability database at X-Force (20260). Similar entries are available at 24216, 24215, 24214 and 24942.

Productinfo

Vendor

• Raz-Lee

Name

• Security

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion