Details of VAR-201502-0017

ID

VAR-201502-0017

CVE

CVE-2014-9375

TITLE

Lexmark Markvision Enterprise of LibraryFileUploadServlet Directory traversal vulnerability in servlets

Trust: 0.8

sources: JVNDB: JVNDB-2014-007899

DESCRIPTION

Directory traversal vulnerability in the LibraryFileUploadServlet servlet in Lexmark Markvision Enterprise allows remote authenticated users to write to and execute arbitrary files via a .. (dot dot) in a file path in a ZIP archive. Authentication is not required to exploit this vulnerability. The specific flaw exists within the LibraryFileUploadServlet servlet. An attacker could leverage this to execute arbitrary code as SYSTEM. Lexmark Markvision Enterprise is a web-based network device management software from Lexmark. This software is mainly used to manage network devices such as printers, such as providing some printer drivers for Unix systems. Failed attacks may cause a denial-of-service condition

Trust: 3.06

sources: NVD: CVE-2014-9375 // JVNDB: JVNDB-2014-007899 // ZDI: ZDI-15-046 // CNVD: CNVD-2015-01280 // BID: 72726

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2015-01280

AFFECTED PRODUCTS

vendor:	lexmark	model:	markvision enterprise	scope:	-	version:	-	Trust: 2.1
vendor:	lexmark	model:	markvision enterprise	scope:	eq	version:	-	Trust: 1.9

sources: ZDI: ZDI-15-046 // CNVD: CNVD-2015-01280 // BID: 72726 // JVNDB: JVNDB-2014-007899 // CNNVD: CNNVD-201502-341 // NVD: CVE-2014-9375

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-9375
value:	HIGH
Trust: 1.0
NVD:	CVE-2014-9375
value:	HIGH
Trust: 0.8
ZDI:	CVE-2014-9375
value:	HIGH
Trust: 0.7
CNVD:	CNVD-2015-01280
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201502-341
value:	CRITICAL
Trust: 0.6

nvd@nist.gov:	CVE-2014-9375
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 2.5
CNVD:	CNVD-2015-01280
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

sources: ZDI: ZDI-15-046 // CNVD: CNVD-2015-01280 // JVNDB: JVNDB-2014-007899 // CNNVD: CNNVD-201502-341 // NVD: CVE-2014-9375

PROBLEMTYPE DATA

problemtype:

CWE-22

Trust: 1.8

sources: JVNDB: JVNDB-2014-007899 // NVD: CVE-2014-9375

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201502-341

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-201502-341

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-007899

PATCH

title:	TE677	url:	http://support.lexmark.com/index?page=content&id=TE677	Trust: 0.8
title:	Lexmark has issued an update to correct this vulnerability.	url:	http://support.lexmark.com/index?page=content&id=TE677&locale=EN&userlocale=EN_US	Trust: 0.7
title:	Lexmark Markvision Enterprise LibraryFileUploadServlet servlet directory traversal vulnerability patch	url:	https://www.cnvd.org.cn/patchInfo/show/55555	Trust: 0.6
title:	MVE-2.1.1	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=54214	Trust: 0.6

sources: ZDI: ZDI-15-046 // CNVD: CNVD-2015-01280 // JVNDB: JVNDB-2014-007899 // CNNVD: CNNVD-201502-341

EXTERNAL IDS

db:	NVD	id:	CVE-2014-9375	Trust: 4.0
db:	ZDI	id:	ZDI-15-046	Trust: 3.2
db:	JVNDB	id:	JVNDB-2014-007899	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-2648	Trust: 0.7
db:	CNVD	id:	CNVD-2015-01280	Trust: 0.6
db:	CNNVD	id:	CNNVD-201502-341	Trust: 0.6
db:	BID	id:	72726	Trust: 0.3

sources: ZDI: ZDI-15-046 // CNVD: CNVD-2015-01280 // BID: 72726 // JVNDB: JVNDB-2014-007899 // CNNVD: CNNVD-201502-341 // NVD: CVE-2014-9375

REFERENCES

url:	http://www.zerodayinitiative.com/advisories/zdi-15-046/	Trust: 2.5
url:	http://support.lexmark.com/index?page=content&id=te677	Trust: 1.6
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-9375	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-9375	Trust: 0.8
url:	http://support.lexmark.com/index?page=content&id=te677&locale=en&userlocale=en_us	Trust: 0.7
url:	http://www1.lexmark.com/en_us/software/markvision/index.shtml	Trust: 0.3
url:	http://support.lexmark.com/index?page=content&id=te677&locale=en&userlocale=en_us	Trust: 0.3

sources: ZDI: ZDI-15-046 // CNVD: CNVD-2015-01280 // BID: 72726 // JVNDB: JVNDB-2014-007899 // CNNVD: CNNVD-201502-341 // NVD: CVE-2014-9375

CREDITS

Andrea Micalizzi (rgod)

Trust: 1.0

sources: ZDI: ZDI-15-046 // BID: 72726

SOURCES

db:	ZDI	id:	ZDI-15-046
db:	CNVD	id:	CNVD-2015-01280
db:	BID	id:	72726
db:	JVNDB	id:	JVNDB-2014-007899
db:	CNNVD	id:	CNNVD-201502-341
db:	NVD	id:	CVE-2014-9375

LAST UPDATE DATE

2025-04-12T23:27:39.835000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-15-046	date:	2015-02-13T00:00:00
db:	CNVD	id:	CNVD-2015-01280	date:	2015-02-27T00:00:00
db:	BID	id:	72726	date:	2015-02-13T00:00:00
db:	JVNDB	id:	JVNDB-2014-007899	date:	2015-02-19T00:00:00
db:	CNNVD	id:	CNNVD-201502-341	date:	2015-02-25T00:00:00
db:	NVD	id:	CVE-2014-9375	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-15-046	date:	2015-02-13T00:00:00
db:	CNVD	id:	CNVD-2015-01280	date:	2015-02-27T00:00:00
db:	BID	id:	72726	date:	2015-02-13T00:00:00
db:	JVNDB	id:	JVNDB-2014-007899	date:	2015-02-19T00:00:00
db:	CNNVD	id:	CNNVD-201502-341	date:	2015-02-25T00:00:00
db:	NVD	id:	CVE-2014-9375	date:	2015-02-16T15:59:00.057