CVE-2024-0800
published 2024-03-13CVE-2024-0800: A path traversal vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.servlet…
PriorityP279high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.03%
59.5th percentile
A path traversal vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.servlet.ImportNodeServlet.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| arcserve | udp | — | — |
| arcserve | udp | — | — |
| arcserve | unified_data_protection | <= 9.2 | — |
| github.com | minio_minio | >= 0.0.0-20220623162515-580d9db85e04 < 0.0.0-20241213221912-68b004a48f41 | 0.0.0-20241213221912-68b004a48f41 |
Detection & IOCsextracted from sources · hover to see the quote
pathC:\Program Files\Arcserve\Unified Data Protection\Management\Report\Temp\2023_12_01__20_54_58_355\/../../../../../../../../..//Windows/System32/existing_exe_to_be_replaced.exe↗
commandpython3 arcserve_udp_console_wizardLogin_auth_bypass.py -t -p 8015 -f /tmp/malicious_file -s '\Windows\System32\existing_exe_to_be_replaced.exe'↗
- →Detect unauthenticated POST requests to /management/wizardLogin that omit the password parameter — this is the authentication bypass (CVE-2024-0799) used to chain into the path traversal upload (CVE-2024-0800). ↗
- →Monitor file upload requests to the ImportNodeServlet endpoint for path traversal sequences (e.g., '../' or '..\') in the destination path parameter, particularly targeting paths outside the UDP Report/Temp directory. ↗
- →Alert on file write operations originating from the Arcserve UDP Console process (running as SYSTEM) to sensitive directories such as Windows\System32, as the upload runs under the SYSTEM security context. ↗
- →Inspect inbound traffic on TCP port 8015 for requests to /management/wizardLogin or /management/services/EdgeServiceConsoleImpl with anomalous or missing authentication parameters. ↗
- ·CVE-2024-0800 (path traversal file upload) requires prior authentication; in practice it is chained with CVE-2024-0799 (wizardLogin auth bypass) to achieve unauthenticated exploitation. Detection rules should account for both steps of the chain. ↗
- ·Affected versions are Arcserve UDP 9.2 and 8.1. Patches P00003050 (UDP 9.2) and P00003059 (UDP 8.1) are available; patched systems should no longer be vulnerable to this exploit chain. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
MinIO vulnerable to privilege escalation in IAM import API
ghsa·2024-12-16
CVE-2024-55949 [HIGH] CWE-269 MinIO vulnerable to privilege escalation in IAM import API
MinIO vulnerable to privilege escalation in IAM import API
### Impact
Privilege escalation in IAM import API, all users are impacted since MinIO commit 580d9db85e04f1b63cc2909af50f0ed08afa965f
### Patches
```
commit f246c9053f9603e610d98439799bdd2a6b293427
Author: Aditya Manthramurthy
Date: Wed Dec 11 18:09:40 2024 -0800
fix: Privilege escalation in IAM import API (#20756)
This API had missing permissions checking, allowing a user to change
their policy mapping by:
1. Craft iam-info.zip file: Update own user permission in
user_mappings.json
2. Upload it via `mc admin cluster iam import nobody iam-info.zip`
Here `nobody` can be a user with pretty much any kind of permission (but
not anonymous) and this ends up working.
Some more detailed steps - start from a fresh setup:
```
./minio
GHSA
GHSA-2473-36w3-q5h4: A path traversal vulnerability exists in Arcserve Unified Data Protection 9
ghsa_unreviewed·2024-03-13
CVE-2024-0800 [HIGH] CWE-434 GHSA-2473-36w3-q5h4: A path traversal vulnerability exists in Arcserve Unified Data Protection 9
A path traversal vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.servlet.ImportNodeServlet.
VulnCheck
Arcserve Unified Data Protection Directory Traversal
vulncheck·2024·CVSS 8.8
CVE-2024-0800 [HIGH] Arcserve Unified Data Protection Directory Traversal
Arcserve Unified Data Protection Directory Traversal
A path traversal vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.servlet.ImportNodeServlet.
Affected: Arcserve Unified Data Protection
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://digital.nhs.uk/cyber-alerts/2024/cc-4487
Suricata
GPL FTP SITE NEWER overflow attempt
suricata·2010-09-23
CVE-1999-0800 GPL FTP SITE NEWER overflow attempt
GPL FTP SITE NEWER overflow attempt
Rule: alert ftp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP SITE NEWER overflow attempt"; flow:established,to_server; content:"SITE"; nocase; content:"NEWER"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+NEWER\s[^\n]{100}/smi"; reference:bugtraq,229; reference:cve,1999-0800; classtype:attempted-admin; sid:2101920; rev:9; metadata:created_at 2010_09_23, cve CVE_1999_0800, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
No public exploits indexed.
2024-03-13
Published
Exploited in the wild