cbcvebase.
CVE-2010-5324
published 2015-06-07

CVE-2010-5324: Directory traversal vulnerability in UploadServlet in the Remote Management component in Novell ZENworks Configuration Management (ZCM) 10 before 10.3 allows…

PriorityP276critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
72.01%
99.4th percentile
Directory traversal vulnerability in UploadServlet in the Remote Management component in Novell ZENworks Configuration Management (ZCM) 10 before 10.3 allows remote attackers to execute arbitrary code via a zenworks-fileupload request with a crafted directory name in the type parameter, in conjunction with a WAR filename in the filename parameter and WAR content in the POST data, a different vulnerability than CVE-2010-5323.

Affected

8 ranges
VendorProductVersion rangeFixed in
novellzenworks_configuration_management
novellzenworks_configuration_management
novellzenworks_configuration_management
novellzenworks_configuration_management
novellzenworks_configuration_management
novellzenworks_configuration_management
novellzenworks_configuration_management
novellzenworks_configuration_management

Detection & IOCsextracted from sources · hover to see the quote

url/zenworks/UploadServlet?filename=../../webapps/<app_base>.war
url/zenworks/UploadServlet
path../../webapps/
  • After the upload, watch for a secondary GET request to a short random-named path ending in .jsp (e.g., /<4-36 char alphanumeric>/<8-16 char alphanumeric>.jsp), which is the payload trigger step.
  • Look for HTTP responses containing 'Apache-Coyote' server header on ZENworks hosts as a fingerprint for vulnerable targets.
  • The exploit uploads a WAR file outside the TEMP directory via path traversal in the 'filename' parameter of UploadServlet, then triggers execution via a follow-up GET to the deployed JSP — monitor for this two-stage HTTP pattern.
  • ·The Metasploit module targets ZENworks Configuration Management 10.2.0 specifically; the NVD entry notes the vulnerability affects ZCM 10 before 10.3, so the traversal path and servlet endpoint may behave differently across minor versions.
  • ·The app_base and jsp_name components of the upload URI and trigger URI are randomly generated alphanumeric strings at runtime, so static string matching on those path segments alone is insufficient for detection — focus on the traversal pattern and UploadServlet endpoint instead.
  • ·The Linux x86 target is noted as 'should work but untested', so detection coverage should prioritize Windows and Java Universal platforms.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.