cbcvebase.
CVE-2010-5323
published 2015-06-07

CVE-2010-5323: Directory traversal vulnerability in UploadServlet in the Remote Management component in Novell ZENworks Configuration Management (ZCM) 10 before 10.3 allows…

PriorityP266critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
14.46%
96.2th percentile
Directory traversal vulnerability in UploadServlet in the Remote Management component in Novell ZENworks Configuration Management (ZCM) 10 before 10.3 allows remote attackers to execute arbitrary code via a crafted WAR pathname in the filename parameter in conjunction with WAR content in the POST data, a different vulnerability than CVE-2010-5324.

Affected

8 ranges
VendorProductVersion rangeFixed in
novellzenworks_configuration_management
novellzenworks_configuration_management
novellzenworks_configuration_management
novellzenworks_configuration_management
novellzenworks_configuration_management
novellzenworks_configuration_management
novellzenworks_configuration_management
novellzenworks_configuration_management

Detection & IOCsextracted from sources · hover to see the quote

url/zenworks/UploadServlet?filename=../../webapps/<app_base>.war
path/zenworks/UploadServlet
commandPOST /zenworks/UploadServlet?filename=../../webapps/<random>.war with Content-Type: application/octet-stream
  • Detect HTTP POST requests to /zenworks/UploadServlet where the 'filename' parameter contains directory traversal sequences (e.g., '../../') and the Content-Type is 'application/octet-stream', indicating an attempt to drop a WAR file outside the intended TEMP directory.
  • After the WAR upload, watch for a follow-up GET request to a newly appeared short-named JSP path (e.g., /<random_alphanum>/<random_alphanum>.jsp) on the same host, which is the payload trigger step.
  • The exploit targets servers responding with an 'Apache-Coyote' Server header; scope detection rules to ZENworks hosts identifiable by this header.
  • A successful upload returns HTTP 200 from UploadServlet; correlate a 200 response to a traversal-containing filename parameter POST as a high-confidence exploitation indicator.
  • ·The exploit targets Novell ZENworks Configuration Management 10.2.0 specifically; versions 10.3 and later are patched. Ensure detection rules are scoped to vulnerable versions (ZCM 10 before 10.3).
  • ·The WAR filename and JSP name are randomly generated alphanumeric strings at runtime, so static filename-based IOCs will not match; detection must rely on the traversal pattern in the filename parameter rather than specific filenames.
  • ·The exploit supports Java Universal, Windows x86, and Linux x86 payloads; detection and response playbooks should account for all three platform targets.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.