Arcserve UDP through 9.0.6034 allows authentication bypass. The method getVersionInfo at WebServiceImpl/services/FlashServiceImpl leaks the AuthUUID token. This token can be used at /WebServiceImpl/services/VirtualStandbyServiceImpl to obtain a valid session. This session can be used to execute any task as administrator.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-07-03T00:00:00

Updated: 2024-08-02T11:46:24.454Z

Reserved: 2023-02-21T00:00:00

Link: CVE-2023-26258

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2023-07-03T15:15:10.377

Modified: 2023-07-12T21:15:08.920

Link: CVE-2023-26258

cve-icon Redhat

No data.