Microfocus Host Access Management And Security Server 12.2 Directory traversal Vulnerability
16 Jun. 2017
Administrative Server in Micro Focus Host Access Management and Security Server (MSS) and Reflection for the Web (RWeb) and Reflection Security Gateway (RSG) and Reflection ZFE (ZFE) allows remote unauthenticated attackers to read arbitrary files via a specially crafted URL that allows limited directory traversal. Applies to MSS 12.3 before 12.3.326 and MSS 12.2 before 12.2.342 and RSG 12.1 before 12.1.362 and RWeb 12.3 before 12.3.312 and RWeb 12.2 before 12.2.342 and RWeb 12.1 before 12.1.362 and ZFE 2.0.1 before 22.214.171.124 and ZFE 2.0.0 before 126.96.36.199 and ZFE 1.4.0 before 188.8.131.52.
* Microfocus Host Access Management And Security Server 12.2
* Microfocus Host Access Management And Security Server 12.3
* Microfocus Reflection For The Web 12.1
* Microfocus Reflection For The Web 12.2
* Microfocus Reflection For The Web 12.3
* Microfocus Reflection Security Gateway 12.1
* Microfocus Reflection Zfe 184.108.40.206
* Microfocus Reflection Zfe 220.127.116.11
* Microfocus Reflection Zfe 18.104.22.168
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Attachmate Host Access Management and Security Server. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the PassThru resource. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose sensitive information under the context of the current process.