[Japanese]

JVNDB-2013-000011

3DM (3ware Disk Manager) vulnerable to directory traversal

Overview

3DM (3ware Disk Manager) contains a directory traversal vulnerability.

3DM provided by LSI is a software to manage a RAID controller. 3DM contains a directory traversal vulnerability.

yamaguchi tsuyoshi of Digiplate.inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None

Affected Products


LSI Corporation
  • 3DM (3ware Disk Manager)

Note that 3DM2 (3ware Disk Manager 2) that is the successor to 3DM is not affected by this vulnerability.
Impact

A remote attacker may obtain arbitrary files.
Solution

[Use 3DM2]
The developer states that the development of 3DM is discontinued and there are no plans for 3DM to be modified.
Use 3DM2 that is the successor to 3DM.

For more information, refer to the information provided by the developer.
Vendor Information

LSI Corporation
CWE (What is CWE?)

  1. Path Traversal(CWE-22) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2013-0705
References

  1. JVN : JVN#02596643
  2. National Vulnerability Database (NVD) : CVE-2013-0705
Revision History

[2013/02/15]
  Web page was published