GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE

  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Embed Notice

HTML Code

Corresponding Notice

  1. Embed this notice
    Will Dormann (wdormann@infosec.exchange)'s status on Thursday, 08-May-2025 13:25:42 JSTWill DormannWill Dormann
    in reply to

    If we compare pre-patch and post-patch versions of Commvault, we can see that the fix for CVE-2025-34028 is that the endpoints of webpackage.do, deployWebpackage.do, and deployServiceCommcell.do are no longer exempt from authentication. And while they were at it, they removed the web endpoints altogether.

    So yeah, while the CVE entry for CVE-2025-34028 indicates that the vulnerability is a directory traversal, the real vulnerability is (IMO) that an unauthenticated user can install packages on a Commvault server.

    Sure, the directory traversal makes the impact bad. But the underlying problem is that the endpoint can be reached by unauthenticated users. And that's what was corrected with the updates.

    In conversationabout 10 days ago from infosec.exchangepermalink

    Attachments



    2. https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/468/688/825/182/229/original/99c3520d4614d87f.png

    3. https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/468/693/892/317/739/original/6da412ea449794c0.png



  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.