Vulnerability Details : CVE-2014-5445
Public exploit exists!
Multiple absolute path traversal vulnerabilities in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allow remote attackers or remote authenticated users to read arbitrary files via a full pathname in the schFilePath parameter to the (1) CSVServlet or (2) CReportPDFServlet servlet.
Vulnerability category: Directory traversal
Products affected by CVE-2014-5445
- cpe:2.3:a:zohocorp:manageengine_it360:10.3.0:*:*:*:*:*:*:*
- Zohocorp » Manageengine Netflow AnalyzerVersions from including (>=) 8.6 and up to, including, (<=) 10.2cpe:2.3:a:zohocorp:manageengine_netflow_analyzer:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-5445
91.59%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2014-5445
-
ManageEngine NetFlow Analyzer Arbitrary File Download
Disclosure Date: 2014-11-30First seen: 2020-04-26auxiliary/admin/http/netflow_file_downloadThis module exploits an arbitrary file download vulnerability in CSVServlet on ManageEngine NetFlow Analyzer. This module has been tested on both Windows and Linux with versions 8.6 to 10.2. Note that when typing Windows paths, you must escape the backslash w
CVSS scores for CVE-2014-5445
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2014-5445
-
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-5445
-
http://www.securityfocus.com/archive/1/534122/100/0/threaded
SecurityFocusThird Party Advisory;VDB Entry
-
http://packetstormsecurity.com/files/129336/ManageEngine-Netflow-Analyzer-IT360-File-Download.html
ManageEngine Netflow Analyzer / IT360 File Download ≈ Packet StormExploit;Patch;Third Party Advisory;VDB Entry;Vendor Advisory
-
http://www.securityfocus.com/archive/1/534141/100/0/threaded
SecurityFocusThird Party Advisory;VDB Entry
-
http://www.securityfocus.com/bid/71404
Multiple ManageEngine Products Multiple Arbitrary File Download VulnerabilitiesExploit;Mailing List;Third Party Advisory;VDB Entry
-
https://github.com/rapid7/metasploit-framework/pull/4282
Add exploit for CVE-2014-5445, NetFlow Analyzer arbitrary download by pedrib · Pull Request #4282 · rapid7/metasploit-framework · GitHubExploit;Third Party Advisory
-
http://seclists.org/fulldisclosure/2014/Dec/9
Full Disclosure: [The ManageOwnage Series, part IX]: 0-day arbitrary file download in NetFlow Analyzer and IT360Exploit;Mailing List;Third Party Advisory
-
https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_netflow_it360_file_dl.txt
Exploit;Third Party Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/99045
ManageEngine NetFlow Analyzer and IT 360 schFilePath directory traversal CVE-2014-5445 Vulnerability ReportThird Party Advisory;VDB Entry
-
https://support.zoho.com/portal/manageengine/helpcenter/articles/cve-2014-5445-cve-2014-5446-fix-for-arbitrary-file-download
CVE-2014-5445 & CVE-2014-5446 : Fix for Arbitrary file downloadVendor Advisory
Jump to