all InfoSec news
Arcserve Unified Data Protection 9.2 Multiple Vulnerabilities
Tenable Research Advisories www.tenable.com
Multiple vulnerabilities exist in Arcserve Unified Data Protection (UDP) 9.2.
CVE-2024-0799 - wizardLogin Authentication Bypass (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
An authentication bypass vulnerability exists in edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.EdgeLoginServiceImpl.doLogin(). When a NULL password is passed to the method, a UUID is used for authentication:
public void doLogin(HttpSession session, Boolean isLocal, String username, String password, String domain, String hostname, String protocol, int port) throws ClientException {
[...]
if (password != null) {
client.getBaseService().validateUser(username, password, domain);
} else {
String uuid …