Vulnerabilities > CVE-2023-26258 - Incorrect Authorization vulnerability in Arcserve UDP

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
arcserve
CWE-863
critical

Summary

Arcserve UDP through 9.0.6034 allows authentication bypass. The method getVersionInfo at WebServiceImpl/services/FlashServiceImpl leaks the AuthUUID token. This token can be used at /WebServiceImpl/services/VirtualStandbyServiceImpl to obtain a valid session. This session can be used to execute any task as administrator.

Vulnerable Configurations

Part Description Count
Application
Arcserve
12

Common Weakness Enumeration (CWE)