cbcvebase.
CVE-2017-15276
published 2017-10-13

CVE-2017-15276: OpenText Documentum Content Server (formerly EMC Documentum Content Server) through 7.3 contains the following design gap, which allows an authenticated user…

PriorityP262high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
9.49%
94.8th percentile
OpenText Documentum Content Server (formerly EMC Documentum Content Server) through 7.3 contains the following design gap, which allows an authenticated user to gain superuser privileges: Content Server allows uploading content using batches (TAR archives). When unpacking TAR archives, Content Server fails to verify the contents of an archive, which causes a path traversal vulnerability via symlinks. Because some files on the Content Server filesystem are security-sensitive, this leads to privilege escalation.

Affected

1 ranges
VendorProductVersion rangeFixed in
opentextdocumentum_content_server<= 7.3

Detection & IOCsextracted from sources · hover to see the quote

path/u01/documentum/cs/product/7.2/bin/dm_set_server_env.sh
path/u01/documentum/cs/shared/config/dfc.keystore
filenamedfc.keystore
filenameproperty.txt
port10001
  • Monitor Documentum dmr_content objects created with page_modifier='dm_batch' or page_modifier='vuln', which are used by the exploit to stage and retrieve malicious TAR content.
  • Alert on Documentum DQL queries for dmr_content WHERE page_modifier='vuln', which is the exploit's marker string used to retrieve exfiltrated file content.
  • Monitor access to dfc.keystore under the DOCUMENTUM_SHARED/config/ path; the exploit downloads this keystore to forge a trusted identity and escalate to the install owner (dmadmin).
  • Detect Documentum sessions authenticating with Identity(trusted=True, keystore=...) — the exploit uses the stolen keystore to create a trusted session as the server install owner without a password.
  • Monitor for TAR archives (GNU_FORMAT) uploaded to Documentum that contain a property.txt file alongside symlink entries — this is the specific TAR structure crafted by the exploit.
  • Detect use of the default Documentum service account 'dm_bof_registry' authenticating to Content Server, as this is the low-privileged account used to initiate the exploit.
  • ·The exploit targets Documentum Content Server through version 7.3; the hardcoded paths (e.g., /u01/documentum/cs/product/7.2/...) are environment-specific and may differ across deployments — detection rules based on these paths should be adapted to the actual installation prefix.
  • ·The exploit falls back to a TLS connection with cipher suite 'ALL:aNULL:!eNULL' (including null-auth ciphers) when the standard TCP connection is refused; network inspection of Documentum traffic may need to account for this encrypted fallback channel.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.