CVE-2015-4068
Published: 29 May 2015
Summary
CVE-2015-4068 is a critical-severity Path Traversal (CWE-22) vulnerability in Arcserve Udp. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Arcserve UDP versions prior to 5.0 Update 4 are affected by a directory traversal vulnerability tracked as CVE-2015-4068 and CWE-22. The flaw resides in the reportFileServlet and exportServlet servlets and allows access to arbitrary file paths supplied by an attacker.
Unauthenticated remote attackers can exploit the issue over the network by submitting crafted paths to these servlets, resulting in disclosure of sensitive information or a denial-of-service condition. The vulnerability carries a CVSS 3.1 base score of 9.1 reflecting network attack vector, low complexity, and high impact to confidentiality and availability.
Vendor documentation for Arcserve UDP 5.0 Update 4 states that the release resolves the directory traversal issue, and users are advised to apply the update. Corresponding Zero Day Initiative advisories ZDI-15-241 and ZDI-15-242 provide additional technical context on the affected servlets.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2015-4094
Vulnerability details
Directory traversal vulnerability in Arcserve UDP before 5.0 Update 4 allows remote attackers to obtain sensitive information or cause a denial of service via a crafted file path to the (1) reportFileServlet or (2) exportServlet servlet.
- CWE(s)
- KEV Date Added
- 25 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks crafted file paths submitted to reportFileServlet/exportServlet before they can traverse directories.
Requires prompt application of Arcserve UDP 5.0 Update 4 that eliminates the directory-traversal flaw in the affected servlets.
Enforces proper file-access restrictions so that even unauthenticated requests cannot reach arbitrary paths via the vulnerable servlets.