Vulnerabilities > CVE-2023-26258 - Incorrect Authorization vulnerability in Arcserve UDP
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Arcserve UDP through 9.0.6034 allows authentication bypass. The method getVersionInfo at WebServiceImpl/services/FlashServiceImpl leaks the AuthUUID token. This token can be used at /WebServiceImpl/services/VirtualStandbyServiceImpl to obtain a valid session. This session can be used to execute any task as administrator.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 12 |
Common Weakness Enumeration (CWE)
References
- https://support.arcserve.com/s/article/KB000015720?language=en_US
- https://support.arcserve.com/s/article/KB000015720?language=en_US
- https://www.arcserve.com/products/arcserve-udp
- https://www.arcserve.com/products/arcserve-udp
- https://www.mdsec.co.uk/2023/06/cve-2023-26258-remote-code-execution-in-arcserve-udp-backup/
- https://www.mdsec.co.uk/2023/06/cve-2023-26258-remote-code-execution-in-arcserve-udp-backup/