Title: Acme.Serve v1.7 Arbitrary File Access Vulnerability
Severity: HIGH
Description:
Acme.Serve is a free, open-source, embeddable webserver written in Java. It is small, is intended to provide minimal functionality, and is fully compatible with JavaServer.
Acme.Serve 1.7 comes with a webserver that listens on port 9090. This webserver allows clients to browse the filesystem. By default, this webserver is enabled and accessible by any remote host on the Internet.
If an attacker were to connect with a browser, they could view the contents of arbitrary files on the filesystem. Since the webserver runs with root privileges, the attacker can view almost any file.
Obtaining sensitive system information may assist in further attacks against the host.
** Cisco has reported that some versions of Secure ACS for UNIX suffer from this vulnerability.
Affected Products:
- ACME Laboratories Acme.Serve 1.7.0
- APC PowerChute Network Shutdown 2.2.1
- Cisco Secure ACS for Unix 2.0.0
- Cisco Secure ACS for Unix 2.3.0
- Cisco Secure ACS for Unix 2.3.5 .1
References:
- ACME Laboratories: Acme.Serve Package Page
- APC: American Power Conversion Home Page
- guiness.stout: APC PowerChute Network Shutdown 2.21 is vulnerable to directory transversal
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
