Vulnerability Details : CVE-2011-2397
The Agent service in Iron Mountain Connected Backup 8.4 allows remote attackers to execute arbitrary code via a crafted opcode 13 request that triggers use of the LaunchCompoundFileAnalyzer class to send request data to the System.getRunTime.exec method.
Vulnerability category: Input validationExecute code
Products affected by CVE-2011-2397
- cpe:2.3:a:ironmountain:connected_backup:8.4:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2011-2397
55.63%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 98 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2011-2397
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST |
CWE ids for CVE-2011-2397
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2011-2397
-
http://www.zerodayinitiative.com/advisories/ZDI-11-339/
ZDI-11-339 | Zero Day Initiative
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/71602
Iron Mountain Connected Backup command execution CVE-2011-2397 Vulnerability Report
Jump to