CVE-2007-6339 - Code Injection vulnerability in Akamai Technologies Download Manager 2.2.0.0/2.2.1.0

Publication

2008-05-01

Last modification

2017-08-08

Summary

The Akamai Download Manager (aka DLM or dlmanager) ActiveX control (DownloadManagerV2.ocx) before 2.2.3.5 allows remote attackers to force the download and execution of arbitrary code via unspecified "undocumented object parameters."

Description

Akamai Download Manager is prone to a remote code-execution vulnerability.Exploiting this issue allows remote attackers to execute arbitrary code in the context of applications using the affected ActiveX control and to compromise affected computers. This issue affects versions prior to Download Manager 2.2.3.7.

Solution

The vendor has released Download Manager 2.2.5.5 to resolve this issue; please see the references for details. Akamai Akamai Download Manager 2.2.0.0 Akamai Akamai Download Manager http://dlm.tools.akamai.com/tools/upgrade.html Akamai Akamai Download Manager 2.2.1.0 Akamai Akamai Download Manager http://dlm.tools.akamai.com/tools/upgrade.html

Exploit

The following proof of concept is available: /data/vulnerabilities/exploits/28993-2.html /data/vulnerabilities/exploits/28993.html

Classification

CWE-94 - Code Injection

Risk level (CVSS AV:N/AC:M/Au:N/C:P/I:P/A:P)

Medium

6.8

Access Vector

  • Network
  • Adjacent Network
  • Local

Access Complexity

  • Low
  • Medium
  • High

Authentication

  • None
  • Single
  • Multiple

Confident. Impact

  • Complete
  • Partial
  • None

Integrity Impact

  • Complete
  • Partial
  • None

Affected Products

Vendor Product Versions
Akamai Technologies Download Manager  2.2.1.0 , 2.2.0.0