Vulnerability CVE-2013-0141 - CERT Civis.Net

Vulnerability Name:

CVE-2013-0141 (CCN-83821)

Assigned:

2012-12-06

Published:

2013-04-25

Updated:

2017-11-16

Summary:

Directory traversal vulnerability in McAfee ePolicy Orchestrator (ePO) before 4.5.7 and 4.6.x before 4.6.6 allows remote attackers to upload arbitrary files via a crafted request over the Agent-Server communication channel, as demonstrated by writing to the Software/ directory.

CVSS v3 Severity:

5.4 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Adjacent Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:A/AC:M/Au:N/C:P/I:P/A:N)
3.2 Low (Temporal CVSS v2 Vector: AV:A/AC:M/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Adjacent_Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

4.3 Medium (CCN CVSS v2 Vector: AV:A/AC:M/Au:N/C:P/I:P/A:N)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:A/AC:M/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Adjacent_Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2013-0141

Source: FULLDISC
Type: UNKNOWN
20140427 Re: Exploit: McAfee ePolicy 0wner (ePowner ) Ã¢â?¬â?? Release

Source: CCN
Type: SA53196
McAfee ePolicy Orchestrator Two Vulnerabilities

Source: CCN
Type: US-CERT VU#209131
McAfee ePolicy Orchestrator 4.6.4 and earlier pre-authenticated SQL injection and directory path traversal vulnerabilities

Source: CERT-VN
Type: US Government Resource
VU#209131

Source: CCN
Type: BID-59505
McAfee ePolicy Orchestrator CVE-2013-0141 Unspecified Directory Traversal Vulnerability

Source: CERT
Type: UNKNOWN
TA13-193A

Source: XF
Type: UNKNOWN
mcafee-epolicy-cve20130141-dir-trav(83821)

Source: CCN
Type: SB10042
ePO update fixes two vulnerabilities reported by Verizon

Source: CONFIRM
Type: Vendor Advisory
https://kc.mcafee.com/corporate/index?page=content&id=SB10042

Vulnerable Configuration:

Configuration 1:

cpe:/a:mcafee:epolicy_orchestrator:2.0:*:*:*:*:*:*:*

OR cpe:/a:mcafee:epolicy_orchestrator:2.5:*:*:*:*:*:*:*

OR cpe:/a:mcafee:epolicy_orchestrator:2.5:sp1:*:*:*:*:*:*

OR cpe:/a:mcafee:epolicy_orchestrator:2.5.1:*:*:*:*:*:*:*

OR cpe:/a:mcafee:epolicy_orchestrator:3.0:*:*:*:*:*:*:*

OR cpe:/a:mcafee:epolicy_orchestrator:3.0:sp2a:*:*:*:*:*:*

OR cpe:/a:mcafee:epolicy_orchestrator:3.5.0:*:*:*:*:*:*:*

OR cpe:/a:mcafee:epolicy_orchestrator:3.6.0:*:*:*:*:*:*:*

OR cpe:/a:mcafee:epolicy_orchestrator:3.6.1:*:*:*:*:*:*:*

OR cpe:/a:mcafee:epolicy_orchestrator:4.0:*:*:*:*:*:*:*

OR cpe:/a:mcafee:epolicy_orchestrator:4.5.0:*:*:*:*:*:*:*

OR cpe:/a:mcafee:epolicy_orchestrator:4.5.3:*:*:*:*:*:*:*

OR cpe:/a:mcafee:epolicy_orchestrator:4.5.4:*:*:*:*:*:*:*

OR cpe:/a:mcafee:epolicy_orchestrator:4.5.5:*:*:*:*:*:*:*

OR cpe:/a:mcafee:epolicy_orchestrator:*:*:*:*:*:*:*:* (Version <= 4.5.6)

Configuration 2:

cpe:/a:mcafee:epolicy_orchestrator:4.6.0:*:*:*:*:*:*:*

OR cpe:/a:mcafee:epolicy_orchestrator:4.6.1:*:*:*:*:*:*:*

OR cpe:/a:mcafee:epolicy_orchestrator:4.6.2:*:*:*:*:*:*:*

OR cpe:/a:mcafee:epolicy_orchestrator:4.6.3:*:*:*:*:*:*:*

OR cpe:/a:mcafee:epolicy_orchestrator:4.6.4:*:*:*:*:*:*:*

OR cpe:/a:mcafee:epolicy_orchestrator:4.6.5:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:mcafee:epolicy_orchestrator:4.5.0:*:*:*:*:*:*:*

OR cpe:/a:mcafee:epolicy_orchestrator:4.6.0:*:*:*:*:*:*:*

OR cpe:/a:mcafee:epolicy_orchestrator:4.6.1:*:*:*:*:*:*:*

Denotes that component is vulnerable