Details of VAR-201403-0278

ID

VAR-201403-0278

CVE

CVE-2014-2535

TITLE

McAfee Web Gateway Directory Traversal Vulnerability

Trust: 0.9

sources: BID: 66193 // CNNVD: CNNVD-201403-345

DESCRIPTION

Directory traversal vulnerability in McAfee Web Gateway (MWG) 7.4.x before 7.4.1, 7.3.x before 7.3.2.6, and 7.2.0.9 and earlier allows remote authenticated users to read arbitrary files via a crafted request to the web filtering port. McAfee Web Gateway is prone to a directory-traversal vulnerability. Remote attackers can use specially crafted requests with directory-traversal sequences ('../') to retrieve arbitrary files in the context of the application. Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks. The following versions are vulnerable: McAfee Web Gateway 7.4.0 and prior McAfee Web Gateway 7.3.2.4 and prior McAfee Web Gateway 7.2.0.9 and prior. The product provides features such as threat protection, application control, and data loss prevention. A directory traversal vulnerability exists in MWG. The following versions are affected: MWG 7.2.0.9 and earlier, 7.3.2.4 and earlier, 7.4.0 and earlier

Trust: 1.98

sources: NVD: CVE-2014-2535 // JVNDB: JVNDB-2014-001745 // BID: 66193 // VULHUB: VHN-70474

AFFECTED PRODUCTS

vendor:	mcafee	model:	web gateway	scope:	lt	version:	7.4.1	Trust: 1.0
vendor:	mcafee	model:	web gateway	scope:	gte	version:	7.2.0	Trust: 1.0
vendor:	mcafee	model:	web gateway	scope:	lte	version:	7.2.0.9	Trust: 1.0
vendor:	mcafee	model:	web gateway	scope:	gte	version:	7.3.2	Trust: 1.0
vendor:	mcafee	model:	web gateway	scope:	lt	version:	7.3.2.6	Trust: 1.0
vendor:	mcafee	model:	web gateway	scope:	gte	version:	7.4.0	Trust: 1.0
vendor:	mcafee	model:	web gateway software	scope:	eq	version:	7.3.2.6	Trust: 0.8
vendor:	mcafee	model:	web gateway software	scope:	lt	version:	7.4.x	Trust: 0.8
vendor:	mcafee	model:	web gateway software	scope:	lte	version:	7.2.0.9 and earlier	Trust: 0.8
vendor:	mcafee	model:	web gateway software	scope:	lt	version:	7.3.x	Trust: 0.8
vendor:	mcafee	model:	web gateway software	scope:	eq	version:	7.4.1	Trust: 0.8
vendor:	mcafee	model:	web gateway	scope:	eq	version:	7.3.2.4	Trust: 0.6
vendor:	mcafee	model:	web gateway	scope:	eq	version:	7.2.0.9	Trust: 0.6
vendor:	mcafee	model:	web gateway	scope:	eq	version:	7.4.0	Trust: 0.6

sources: JVNDB: JVNDB-2014-001745 // CNNVD: CNNVD-201403-345 // NVD: CVE-2014-2535

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-2535
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2014-2535
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201403-345
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-70474
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2014-2535
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-70474
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-70474 // JVNDB: JVNDB-2014-001745 // CNNVD: CNNVD-201403-345 // NVD: CVE-2014-2535

PROBLEMTYPE DATA

problemtype:

CWE-22

Trust: 1.9

sources: VULHUB: VHN-70474 // JVNDB: JVNDB-2014-001745 // NVD: CVE-2014-2535

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201403-345

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-201403-345

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-001745

PATCH

title:

SB10063

url:

https://kc.mcafee.com/corporate/index?page=content&id=SB10063

Trust: 0.8

sources: JVNDB: JVNDB-2014-001745

EXTERNAL IDS

db:	NVD	id:	CVE-2014-2535	Trust: 2.8
db:	SECUNIA	id:	56958	Trust: 1.7
db:	MCAFEE	id:	SB10063	Trust: 1.7
db:	BID	id:	66193	Trust: 1.4
db:	JVNDB	id:	JVNDB-2014-001745	Trust: 0.8
db:	CNNVD	id:	CNNVD-201403-345	Trust: 0.7
db:	XF	id:	91772	Trust: 0.6
db:	VULHUB	id:	VHN-70474	Trust: 0.1

sources: VULHUB: VHN-70474 // BID: 66193 // JVNDB: JVNDB-2014-001745 // CNNVD: CNNVD-201403-345 // NVD: CVE-2014-2535

REFERENCES

url:	http://secunia.com/advisories/56958	Trust: 1.7
url:	https://kc.mcafee.com/corporate/index?page=content&id=sb10063	Trust: 1.6
url:	http://www.securityfocus.com/bid/66193	Trust: 1.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/91772	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2535	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-2535	Trust: 0.8
url:	http://xforce.iss.net/xforce/xfdb/91772	Trust: 0.6
url:	http://www.mcafee.com/	Trust: 0.3
url:	https://kc.mcafee.com/resources/sites/mcafee/content/live/product_documentation/23000/pd23455/en_us/mwg_7152_release_notes.pdf	Trust: 0.3
url:	https://kc.mcafee.com/corporate/index?page=content&id=sb10063	Trust: 0.1

sources: VULHUB: VHN-70474 // BID: 66193 // JVNDB: JVNDB-2014-001745 // CNNVD: CNNVD-201403-345 // NVD: CVE-2014-2535

CREDITS

Ilyas Orak from Biznet Bilisim

Trust: 0.3

sources: BID: 66193

SOURCES

db:	VULHUB	id:	VHN-70474
db:	BID	id:	66193
db:	JVNDB	id:	JVNDB-2014-001745
db:	CNNVD	id:	CNNVD-201403-345
db:	NVD	id:	CVE-2014-2535

LAST UPDATE DATE

2024-11-23T22:23:06.972000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-70474	date:	2018-12-13T00:00:00
db:	BID	id:	66193	date:	2014-03-25T00:58:00
db:	JVNDB	id:	JVNDB-2014-001745	date:	2014-03-24T00:00:00
db:	CNNVD	id:	CNNVD-201403-345	date:	2014-03-21T00:00:00
db:	NVD	id:	CVE-2014-2535	date:	2024-11-21T02:06:29.690

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-70474	date:	2014-03-18T00:00:00
db:	BID	id:	66193	date:	2014-02-24T00:00:00
db:	JVNDB	id:	JVNDB-2014-001745	date:	2014-03-24T00:00:00
db:	CNNVD	id:	CNNVD-201403-345	date:	2014-03-20T00:00:00
db:	NVD	id:	CVE-2014-2535	date:	2014-03-18T17:04:18.407