GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE

  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Untitled attachment

Download link

Notices where this attachment appears

  1. Embed this notice
    Will Dormann (wdormann@infosec.exchange)'s status on Thursday, 08-May-2025 13:25:42 JST Will Dormann Will Dormann
    in reply to

    If we compare pre-patch and post-patch versions of Commvault, we can see that the fix for CVE-2025-34028 is that the endpoints of webpackage.do, deployWebpackage.do, and deployServiceCommcell.do are no longer exempt from authentication. And while they were at it, they removed the web endpoints altogether.

    So yeah, while the CVE entry for CVE-2025-34028 indicates that the vulnerability is a directory traversal, the real vulnerability is (IMO) that an unauthenticated user can install packages on a Commvault server.

    Sure, the directory traversal makes the impact bad. But the underlying problem is that the endpoint can be reached by unauthenticated users. And that's what was corrected with the updates.

    In conversation about 10 days ago from infosec.exchange permalink
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.