Vulnerability Description
Arcserve UDP through 9.0.6034 allows authentication bypass. The method getVersionInfo at WebServiceImpl/services/FlashServiceImpl leaks the AuthUUID token. This token can be used at /WebServiceImpl/services/VirtualStandbyServiceImpl to obtain a valid session. This session can be used to execute any task as administrator.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Arcserve | Udp | <= 9.0.6034 |
Related Weaknesses (CWE)
References
- https://support.arcserve.com/s/article/KB000015720?language=en_US
- https://www.arcserve.com/products/arcserve-udpProduct
- https://www.mdsec.co.uk/2023/06/cve-2023-26258-remote-code-execution-in-arcserveExploitTechnical DescriptionThird Party Advisory
- https://support.arcserve.com/s/article/KB000015720?language=en_US
- https://www.arcserve.com/products/arcserve-udpProduct
- https://www.mdsec.co.uk/2023/06/cve-2023-26258-remote-code-execution-in-arcserveExploitTechnical DescriptionThird Party Advisory
FAQ
What is CVE-2023-26258?
CVE-2023-26258 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Arcserve UDP through 9.0.6034 allows authentication bypass. The method getVersionInfo at WebServiceImpl/services/FlashServiceImpl leaks the AuthUUID token. This token can be used at /WebServiceImpl/se...
How severe is CVE-2023-26258?
CVE-2023-26258 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2023-26258?
Check the references section above for vendor advisories and patch information. Affected products include: Arcserve Udp.