漏洞类别:CGI
漏洞等级: 
漏洞信息
EMC Documentum Platform: Critical enterprise content management access and control of all your information assets.
Documentum is prone to following vulnerabilities :
Privilege Escalation (CVE-2014-2506):Authenticated non-privileged users are allowed to create system objects with super user privileges due to improper authorization checks being performed on these objects. This may potentially be exploited by a malicious attacker to gain unauthorized access to data or to perform unauthorized actions on Content Server.
Shell Injection (CVE-2014-2507):Certain methods in Documentum Content Server perform improper validation checks on input arguments. This may potentially be exploited by an authenticated malicious user to conduct shell injection attacks against these methods and perform unauthorized actions on Content Server.
DQL Injection (CVE-2014-2508): Certain DQL hints in Documentum Content Server may potentially be exploited by an authenticated malicious user to conduct DQL injection attacks and perform unauthorized database actions.
Affected Versions:
EMC Documentum Content Server before 6.7 SP1 P28, 6.7 SP2 before P14, 7.0 before P15, and 7.1 before P05
漏洞危害
On successful exploitation it allows remote authenticated users to execute arbitrary commands via shell metacharacters in arguments to unspecified methods also remote authenticated users to conduct Documentum Query Language (DQL) injection attacks and bypass intended restrictions on database actions via vectors involving DQL hints.
解决方案
Vendor recommends all customers upgrade to one of the versions reported below, at the earliest opportunity:
EMC Documentum Content Server 7.1 P05 and later
EMC Documentum Content Server 7.0 P15 and later
EMC Documentum Content Server 6.7 SP2 P14 and later
EMC Documentum Content Server 6.7 SP1 P28 and later
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0day
文章评论