Preview Tool

Cisco Bug: CSCuj22948 - Directory Traversal in VMWS Attachment Service

Last Modified

Jan 29, 2017

Products (1)

  • Cisco Unity Connection

Known Affected Releases

8.6(4.1) 9.0(1.7) 9.1(1.10)

Description (partial)


Cisco Unity Connection contains a directory traversal vulnerability within the VMWS Attachment Service API.  An authenticated, remote attacker could 
leverage this vulnerability to place files in arbitrary directories on the affected system for a short amount of time.

The issue is due to a failure to properly sanitize user supplied input passed as part of the input string when supplying a filename to the VMWS 
attachment service.  An attacker could leverage the vulnerability to write a file to any location that the <i>tomcat</i> user can access.  This action could 
have extended secondary impacts on the device.


Cisco Unity Connection devices running version 7.x or unpatched 8.5, 8.6, or 9.1 software.

Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.