CVE-2024-0800 in Unified Data Protection
Summary
by MITRE • 03/13/2024
A path traversal vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.servlet.ImportNodeServlet.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 12/16/2025
The path traversal vulnerability identified in CVE-2024-0800 affects Arcserve Unified Data Protection versions 9.2 and 8.1 within the edge-app-base-webui.jar component. This flaw resides in the ImportNodeServlet class which processes file import operations through the web user interface. The vulnerability stems from insufficient input validation when handling file paths, allowing malicious actors to manipulate directory traversal sequences and access unauthorized files or directories on the underlying system. Such weaknesses typically arise from inadequate sanitization of user-supplied data before processing file system operations.
The technical implementation of this vulnerability involves the servlet failing to properly validate or sanitize file path parameters received from client requests. When users attempt to import nodes through the web interface, the system processes these requests without adequate checks on the provided file paths. Attackers can exploit this by crafting malicious requests containing directory traversal sequences such as ../ or ..\ that bypass normal access controls. This allows them to navigate outside the intended directory structure and potentially read sensitive files, execute arbitrary code, or even overwrite critical system components depending on the permissions of the running service.
The operational impact of this vulnerability extends beyond simple unauthorized file access, as it represents a critical security weakness that could enable full system compromise. An attacker exploiting this path traversal flaw could potentially access configuration files containing sensitive credentials, system logs, or other confidential data. The vulnerability could also facilitate privilege escalation if the service runs with elevated permissions, allowing attackers to modify system files or install malicious software. Additionally, this weakness could serve as an initial foothold for further attacks within the network infrastructure, particularly in environments where Arcserve Unified Data Protection manages critical backup and recovery operations.
Security mitigations for this vulnerability should focus on implementing proper input validation and sanitization mechanisms within the ImportNodeServlet component. Organizations should immediately apply vendor patches or updates when available, as the vulnerability affects specific versions of the Arcserve Unified Data Protection software. Network segmentation and access controls should be implemented to limit exposure of the affected web interface to trusted networks only. The principle of least privilege must be enforced by ensuring the web application runs with minimal necessary permissions and by implementing proper file access controls. Regular security assessments and code reviews should be conducted to identify similar path traversal vulnerabilities in other components, aligning with CWE-22 standards for path traversal prevention. Organizations should also consider implementing web application firewalls and monitoring systems to detect and block suspicious path traversal attempts as part of their defense-in-depth strategy.