CVE-2016-2205 : Directory traversal vulnerability in the file-download configuration file in the management console in Symantec Workspac

Directory traversal vulnerability in the file-download configuration file in the management console in Symantec Workspace Streaming (SWS) 7.5.x before 7.5 SP1 HF9 and 7.6.0 before 7.6 HF5 and Symantec Workspace Virtualization (SWV) 7.5.x before 7.5 SP1 HF9 and 7.6.0 before 7.6 HF5 allows remote authenticated users to read unspecified application files via unknown vectors.

Published 2016-07-12 02:00:05

Updated 2017-09-01 01:29:05

Source Symantec Corporation

View at NVD, CVE.org

Vulnerability category: Directory traversal

Exploit prediction scoring system (EPSS) score for CVE-2016-2205

Probability of exploitation activity in the next 30 days: 0.15%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 51 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2016-2205

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.1	MEDIUM	AV:A/AC:L/Au:N/C:C/I:N/A:N	6.5	6.9	NIST
Access Vector: Adjacent Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: None Availability Impact: None
5.7	MEDIUM	CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N	2.1	3.6	NIST
Attack Vector: Adjacent Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2016-2205

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-2205

http://www.securityfocus.com/bid/89395

Mutiple Symantec Products CVE-2016-2205 Directory Traversal Vulnerability
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160707_00

Symantec Workspace Streaming and Workspace Virtualization Path Traversal and Arbitrary File Read
Vendor Advisory

CVEs referencing this url
http://www.securitytracker.com/id/1036263

Symantec Workspace Virtualization Directory Traversal Flaw Lets Remote Authenticated Users View Arbitrary Files - SecurityTracker

CVEs referencing this url
http://www.securitytracker.com/id/1036262

Symantec Workspace Streaming Directory Traversal Flaw Lets Remote Authenticated Users View Arbitrary Files - SecurityTracker

CVEs referencing this url

Products affected by CVE-2016-2205

Symantec » Workspace Streaming » Version: 7.5.0 Update SP1
cpe:2.3:a:symantec:workspace_streaming:7.5.0:sp1:*:*:*:*:*:*
Matching versions
Symantec » Workspace Streaming » Version: 7.5.0
cpe:2.3:a:symantec:workspace_streaming:7.5.0:*:*:*:*:*:*:*
Matching versions
Symantec » Workspace Streaming » Version: 7.6.0
cpe:2.3:a:symantec:workspace_streaming:7.6.0:*:*:*:*:*:*:*
Matching versions
Symantec » Workspace Virtualization » Version: 7.5.0
cpe:2.3:a:symantec:workspace_virtualization:7.5.0:*:*:*:*:*:*:*
Matching versions
Symantec » Workspace Virtualization » Version: 7.5.0 Update SP1
cpe:2.3:a:symantec:workspace_virtualization:7.5.0:sp1:*:*:*:*:*:*
Matching versions
Symantec » Workspace Virtualization » Version: 7.6.0
cpe:2.3:a:symantec:workspace_virtualization:7.6.0:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2016-2205

Exploit prediction scoring system (EPSS) score for CVE-2016-2205

CVSS scores for CVE-2016-2205

CWE ids for CVE-2016-2205

References for CVE-2016-2205

Products affected by CVE-2016-2205