Summaryinfo

A vulnerability classified as critical has been found in Alfresco Server up to 4.2.f. Affected is an unknown function of the component Proxy Servlet. Performing a manipulation of the argument endpoint results in privileges management. This vulnerability is cataloged as CVE-2014-9301. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability, which was classified as critical, was found in Alfresco Server up to 4.2.f. This affects some unknown processing of the component Proxy Servlet. The manipulation of the argument endpoint with an unknown input leads to a privileges management vulnerability. CWE is classifying the issue as CWE-269. The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. This is going to have an impact on integrity.

The weakness was shared 07/16/2014 as confirmed mailinglist post (Bugtraq). The advisory is shared at seclists.org. This vulnerability is uniquely identified as CVE-2014-9301 since 12/07/2014. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Technical details and a public exploit are known. MITRE ATT&CK project uses the attack technique T1068 for this issue.

The exploit is shared for download at exploit-db.com. It is declared as proof-of-concept.

Upgrading to version 5.0.a eliminates this vulnerability.

The vulnerability is also documented in the databases at X-Force (99738) and Exploit-DB (39258). The entry VDB-68530 is related to this item. Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Vendor

• Alfresco

Name

• Server

Version

• 4.2.a
• 4.2.b
• 4.2.c
• 4.2.d
• 4.2.e
• 4.2.f

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion