Vulnerability Description
BASIS BBj versions prior to 25.00 contain a Jetty-served web endpoint that fails to properly validate or canonicalize input path segments. This allows unauthenticated directory traversal sequences to cause the server to read arbitrary system files accessible to the account running the service. Retrieved configuration artifacts may contain account credentials used for BBj Enterprise Manager; possession of these credentials enables administrative access and use of legitimate management functionality that can result in execution of system commands under the service account. Depending on the operating system and the privileges of the BBj service account, this issue may also allow access to other sensitive files on the host, including operating system or application data, potentially exposing additional confidential information.
Related Weaknesses (CWE)
References
- https://myemail.constantcontact.com/BASIS-International-Ltd--releases-BBj---the-
- https://www.vulncheck.com/advisories/basis-bbj-unauthenticated-arbitrary-file-re
FAQ
What is CVE-2025-34320?
CVE-2025-34320 is a documented vulnerability. BASIS BBj versions prior to 25.00 contain a Jetty-served web endpoint that fails to properly validate or canonicalize input path segments. This allows unauthenticated directory traversal sequences to ...
How severe is CVE-2025-34320?
CVSS scoring is not yet available for CVE-2025-34320. Check NVD for updates.
Is there a patch for CVE-2025-34320?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.