CVE-2017-14105
Last modified
CVE-2017-14105 is a vulnerability of currently unknown severity. HiveManager Classic through 8.1r1 allows arbitrary JSP code execution by modifying a backup archive before a restore, because the restore feature does not validate pathnames within the archive. An authenticated, local attacker - even restricted as a tenant - can add a jsp at HiveManager/tomcat/webapps/hm/domains/$yourtenant/maps (it will be exposed at the web interface).. EPSS estimates a 1.30% chance of exploitation in the next 30 days.
Description
HiveManager Classic through 8.1r1 allows arbitrary JSP code execution by modifying a backup archive before a restore, because the restore feature does not validate pathnames within the archive. An authenticated, local attacker - even restricted as a tenant - can add a jsp at HiveManager/tomcat/webapps/hm/domains/$yourtenant/maps (it will be exposed at the web interface).
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Aerohive | Hivemanager Classic | 8.0r1 |
| Aerohive | Hivemanager Classic | 8.1r1 |
References
- https://github.com/theguly/CVE-2017-14105Exploit, Patch, Third Party Advisory
- https://github.com/theguly/CVE-2017-14105Exploit, Patch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2017-14105?
How severe is CVE-2017-14105?
How do I fix CVE-2017-14105?
Are you affected by CVE-2017-14105?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST