Arbitrary Command Execution Vulnerability in Veritas NetBackup and NetBackup Appliance
CVE-2017-6406

8.8HIGH

Key Information:

Vendor: Veritas
Status: Netbackup Appliance; Netbackup; Access
Vendor: CVE Published:; 2 March 2017

What is CVE-2017-6406?

A vulnerability exists in Veritas NetBackup and NetBackup Appliance that allows for arbitrary command execution due to improper handling of directory paths. By using a directory escape technique with '../' substrings, an attacker can potentially execute commands with elevated privileges. This flaw affects all versions of Veritas NetBackup prior to 7.7.2 and NetBackup Appliance before version 2.7.2, posing a significant security risk. Organizations utilizing these products should apply the necessary security patches to mitigate exposure to this vulnerability.

References

http://www.securityfocus.com/bid/96486

vdb-entryx_refsource_BID

https://www.veritas.com/content/support/en_US/security/VT...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 2, 2017
Vulnerability Reserved
Mar 1, 2017