Guest

Preview Tool

Cisco Bug: CSCur49414 - PSIRT: Reporter Servlet allows access to contents of local files

Last Modified

Nov 14, 2015

Products (1)

  • Cisco Unified Communications Manager (CallManager)

Known Affected Releases

10.5(1.10000.7) 10.5(2.10000.5) 8.5(1.10000.26) 8.6(2.10000.30) 9.1(2.10000.28)

Description (partial)

Symptom:
The vulnerability is due to a failure to properly restrict paths passed to a specific API command.  An authenticated attacker could exploit the vulnerability by providing the absolute path to the file of interest to the affected API command.

Conditions:
Reporter Servlet provides access to authenticated users to view the contents of some of the system files as well.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.