CVE-2011-5127
published 2012-08-26CVE-2011-5127: Directory traversal vulnerability in Blue Coat Reporter 9.x before 9.2.4.13, 9.2.5.x before 9.2.5.1, and 9.3 before 9.3.1.2 on Windows allows remote attackers…
PriorityP262critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
13.16%
95.9th percentile
Directory traversal vulnerability in Blue Coat Reporter 9.x before 9.2.4.13, 9.2.5.x before 9.2.5.1, and 9.3 before 9.3.1.2 on Windows allows remote attackers to read arbitrary files, and consequently execute arbitrary code, via an unspecified HTTP request.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bluecoat | reporter | — | — |
| bluecoat | reporter | — | — |
| bluecoat | reporter | — | — |
| bluecoat | reporter | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
%c0.%c0./
- →Detect directory traversal attempts against Blue Coat Reporter (default port 8081) using overlong/malformed UTF-8 encoded dot sequences (%c0.%c0./) in HTTP request paths. ↗
- →Monitor HTTP requests to port 8081 containing 8.3 short-name path components (e.g., progra~1, blueco~1) combined with traversal sequences, which bypass space-encoding restrictions. ↗
- →The vulnerability only affects the Windows installation; Linux deployments are not vulnerable and can be excluded from detection scope. ↗
- ·Requests using URL-encoded spaces (%20) in the traversal path do NOT successfully exploit the vulnerability; only 8.3 short-name equivalents (progra~1, blueco~1) work. ↗
- ·At time of public disclosure, a patch existed for 9.3.1.1 but no patch was available for 9.2.x or 9.1.x; patched versions per NVD are 9.2.4.13+, 9.2.5.1+, and 9.3.1.2+. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2012-08-26
Published