cbcvebase.
CVE-2015-0779
published 2015-06-07

CVE-2015-0779: Directory traversal vulnerability in UploadServlet in Novell ZENworks Configuration Management (ZCM) 10 and 11 before 11.3.2 allows remote attackers to execute…

PriorityP274critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
74.52%
99.4th percentile
Directory traversal vulnerability in UploadServlet in Novell ZENworks Configuration Management (ZCM) 10 and 11 before 11.3.2 allows remote attackers to execute arbitrary code via a crafted directory name in the uid parameter, in conjunction with a WAR filename in the filename parameter and WAR content in the POST data, a different vulnerability than CVE-2010-5323 and CVE-2010-5324.

Affected

5 ranges
VendorProductVersion rangeFixed in
novellzenworks_configuration_management
novellzenworks_configuration_management
novellzenworks_configuration_management
novellzenworks_configuration_management
novellzenworks_configuration_management

Detection & IOCsextracted from sources · hover to see the quote

url/zenworks/UploadServlet?uid=../../../opt/novell/zenworks/share/tomcat/webapps/&filename=payload.war
path../../../opt/novell/zenworks/share/tomcat/webapps/
path../webapps/
path/zenworks/UploadServlet
filenamepayload.war
  • Detect unauthenticated HTTP POST requests to /zenworks/UploadServlet containing directory traversal sequences (e.g., '../') in the 'uid' query parameter combined with a '.war' filename in the 'filename' parameter.
  • Alert on HTTP GET requests to /zenworks/UploadServlet returning HTTP 200 with body matching 'ZENworks File Upload Servlet' — this is the fingerprinting/check request used by the Metasploit module.
  • Monitor for WAR file uploads (Content-Type: application/octet-stream) to the ZCM UploadServlet endpoint, particularly where the uid parameter traverses to a Tomcat webapps directory.
  • No authentication is required to exploit this vulnerability; any unauthenticated POST to UploadServlet with traversal in uid should be treated as a high-severity alert.
  • ·The traversal path in the uid parameter differs between Windows and Linux ZCM installations; defenders should account for both known paths.
  • ·The Metasploit module allows an operator-supplied custom TOMCAT_PATH, meaning the traversal string is not fixed and may vary beyond the two known default paths.
  • ·The deployed WAR app_base name is randomly generated alphanumeric, so the follow-up trigger request URI will not be predictable for signature matching.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.