당사는 당사 웹페이지를 개선하기 위해 쿠키를 사용합니다. 당사의 쿠키 정책 을 읽으십시오.

AS-2023-007: EZ Sync on ADM

2023-06-29

Severity

Important

Status

Resolved


Statement

EZ Sync service fails to adequately handle user input, allowing an attacker to navigate beyond the intended directory structure and delete files.

  • The issue has been fixed on ADM 4.2.2.RI61 and ADM 4.0.6.RIS1.

Affected Products

Product Severity Fixed Release Availability
ADM 4.2 and 4.1 Important Upgrade to ADM 4.2.2.RI61 or above.
ADM 4.0 Important Upgrade to 4.0.6.RIS1 or above.

Detail

  • CVE-2023-2909
    • Severity: High
    • CVSS3 Base Score: 8.5
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
    • EZ Sync service fails to adequately handle user input, allowing an attacker to navigate beyond the intended directory structure and delete files. Affected products and versions include: ADM 4.0.6.REG2, 4.1.0 and below as well as ADM 4.2.1.RGE2 and below.

Acknowledgement

JuYang.Gao (chumen77) from Dbappsecurity Co.,Ltd


Revision

Revision Date Description
1 2023-05-31 Initial public release.
2 2023-05-31 CVE ID (CVE-2023-2909) is assigned for the issue.
3 2023-06-06 Release ADM 4.2.2.RI61 to fix the issue.
4 2023-06-29 Release ADM 4.0.6.RIS1 to fix the issue.