Remote Information Disclosure Vulnerability in CA Arcserve D2D by CA Technologies
CVE-2020-27858

7.5HIGH

Key Information:

Vendor: Arcserve
Status: D2d
Vendor: CVE Published:; 20 January 2021

What is CVE-2020-27858?

This vulnerability enables remote attackers to exploit affected installations of CA Arcserve D2D 16.5 by disclosing sensitive information. The flaw resides in the 'getNews' method, where improper handling of XML External Entity (XXE) references allows an attacker to craft a document that triggers the XML parser to access a specified URI. This results in unauthorized information disclosure in the context of the SYSTEM, posing a significant risk to data integrity and confidentiality.

Affected Version(s)

D2D 16.5

References

https://www.zerodayinitiative.com/advisories/ZDI-20-1397/

x_refsource_MISC

EPSS Score

20% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 20, 2021
Vulnerability Reserved
Oct 27, 2020

Credit

rgod