[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DDIVRT-2013-53 Actuate 'ActuateJavaComponent' Multiple Vulnerabilities



Title
-----
DDIVRT-2013-53 Actuate 'ActuateJavaComponent' Multiple Vulnerabilities

Severity
--------
High

Date Discovered
---------------
March 19, 2013

Discovered By
-------------
Digital Defense, Inc. Vulnerability Research Team
Credit: Dennis Lavrinenko, Bobby Lockett, and r@b13$

1. Actuate 'ActuateJavaComponent' Arbitrary File Retrieval

Vulnerability Description
-------------------------
Actuate 10 contains a vulnerability within the 'ActuateJavaComponent'. This 
component allows unauthenticated attackers to retrieve arbitrary system files 
located outside of the web root.

Solution Description
--------------------
A solution for this security issue is not available at this time. End-users can 
mitigate this flaw by limiting access to affected systems through the use of 
access controls.

2. Actuate 'ActuateJavaComponent' Arbitrary Directory Browsing Vulnerability

Vulnerability Description
-------------------------
Actuate 10 contains an arbitrary directory browsing vulnerability within the 
'ActuateJavaComponent'. This vulnerability allows the contents of any drive or 
directory to be browsed within the web application's interface.

Solution Description
--------------------
A solution for this security issue is not available at this time. End-users can 
mitigate this flaw by limiting access to affected systems through the use of 
access controls.

Tested Systems / Software
-------------------------
Actuate 10 Service Pack 1 Fix 4

Vendor Contact
--------------
Vendor Name: Actuate Corporation
Vendor Website: http://www.actuate.com/home/

Current Advisory
--------------
http://www.ddifrontline.com/company/SecuritySpotlight/2013/05/u2545