[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

BMC-2015-0006: File inclusion vulnerability in "BIRT Engine" servlet used in BMC Remedy AR Reporting



------------------------------------------------------------------------
File inclusion vulnerability in "BIRT Engine" servlet used in BMC Remedy 
AR Reporting
 
BMC Identifier: BMC-2015-0006
CVE Identifier: CVE-2015-5072
------------------------------------------------------------------------
By BMC Application Security, SEP 2015
 
------------------------------------------------------------------------
Vulnerability summary
------------------------------------------------------------------------
A security vulnerability has been identified in BMC Remedy 
AR Reporting.
 
The vulnerability can be exploited remotely allowing navigation to any 
file in the local file system.

------------------------------------------------------------------------
CVSS v2.0 Base Metrics
------------------------------------------------------------------------
Reference:	
CVE-2015-5072

Base Vector:					
(AV:N/AC:L/Au:S/C:P/I:N/A:N) 	

Base Score:
4.0

------------------------------------------------------------------------
Affected versions
------------------------------------------------------------------------
The flaw has been confirmed to exist in BMC Remedy AR 8.1 and 9.0. 
Earlier Versions may also be affected
 
------------------------------------------------------------------------
Resolution
------------------------------------------------------------------------
A hotfix as well as a workaround are available at
 
https://kb.bmc.com/infocenter/index?page=content&id=KA429507
 
------------------------------------------------------------------------
Credits
------------------------------------------------------------------------
Credit for discovery of this vulnerability: Stephan Tigges from tigges-security.de
 
------------------------------------------------------------------------
Reference
------------------------------------------------------------------------
CVE-2015-5072
 
Information about BMC's corporate procedure for external vulnerability 
disclosures is at http://www.bmc.com/security

-----BEGIN PGP MESSAGE-----
Version: GnuPG v2

owGtll9oHEUcx5OcJs3hoUWsUWwdE22a2vuTkKjdGtvLmUCISdu79PIihbm92bsh
ezvLzOz9MZgElGIeTIyIhkgoCLZafSiNGMRSldKIrUGrUDQ+1D8U0VIsWmhK2uhv
7prq5cGn3Zedndn9/fn+Pr8f+4rPU7Gu8mjNibm/ri69VnnmYqIi7tna5Xfp8nm7
qEkQtXTTEZRZKOuYFuE4QU0qC7CP6ju6o/2o00pRi/w8OoME4VmTSOQIklTnHb0R
FCUZkiwgnzcchbXNuKRWyueFDXXanSSWpAYlXFNv+1tCzW3+UCj0mM8biXeWHcNz
6bgt9HiLz+telh2FYqBh2zapjqXKNEZ0h0OS21Cscw9SXosRu+czXialcDIZzAtu
OghDMUo5rClbGguUIMRCdFXb/y9VoJh5f5qssaNjC+wgkrdNRiUY4STDJDELCJsm
y8GXyMJZmioJKhnCljJtlJBCEgyaTMcmKu6IgpAkA77c1CASj8VQtiUQQh1YENRL
JKe6cNNDlBiEE0snWm0R2P8CCmApr3GiS8a1WnX5vFvCca0vGI5ozwTDjhYLRrQ9
wW61o/U1odpbH8V0xonm87YGQu5KEjYMiAeqlSVc9bSraihIDBPn/mVMZ5ZBOVCl
ACB5KuQa1oC0JwLNwEYSbQ+EAgBIJ+Ym9DvoVgoQZbBCSjBFG74ZvsvdGCWCmY4C
1d0WTDNp0DwCNXLENNUdoxzjg5gzBzLGHDLKYmriBLQAlsWs0lLaQgsGBxOBREYP
6CwTpJbBdGhWwmGZJPmdNk6RdtBWwuZmmmzvCbe2bAfqXJYlwkmSSlcRKZlEBuMo
SYXOAMMCYgaMAyrKB4yGYpLYaZgy/TSVIgIZnGWQLK79q7MtkCSuo3Czo90dRGWT
AQLuhpLyTGk24gRzpGqKRgENw2HuYkmQzaHmSQcQUWKRPFTfgmlZPoR9XqWiyQS8
JxBFAJhEiiAAKJfL3SJoVa+xygduq6hcV1F9e5X6U6jw1t61+vsgjtUs17w6Mz99
4M/Nzst/f744Nt/4wo2Nha+fnV98Ozby1XuHth6o692wt6Ev6rE9v6ws1108db1h
79TwxsYPLu3y39P045H40IWn0guPejakV8aH33V6Wu+88e2mXfNP7n79+OTc/bE3
Z4598WLV/s9+iu+7u/pq88Ezo0c9KzsHf+jZ//Snv01MDjQOnK1+KxK/8OEnc9Oz
3kPWyEen2r6zr+RGTy4cPtf00IP2tktLw9cvT0wtRxp6g50H82PP7+s6PL7pnZbc
79N1s+MDQ30LPfWTL52+d8S5dvbX02QkvOP4+xNXqobOX17akp2cK7TJh0+eu+/7
2fPPfRz5o/6bN4KiPbA4fs1af+KOHY/s/nLqHw==
=t+wt
-----END PGP MESSAGE-----