CVE-2014-2609
critical
CVSS v3
—
CVSS v2
10.0
VIR risk
10.0
Description
The Java Glassfish Admin Console in HP Executive Scorecard 9.40 and 9.41 does not require authentication, which allows remote attackers to execute arbitrary code via a session on TCP port 10001, aka ZDI-CAN-2116.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: hp-security-alert@hp.com — https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04341295
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| hp | executive_scorecard | 9.40 | |
| hp | executive_scorecard | 9.41 | |
References
- http://secunia.com/advisories/59363
- http://www.securityfocus.com/bid/68093
- http://www.securitytracker.com/id/1030439
- http://zerodayinitiative.com/advisories/ZDI-14-208/
- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04341295
- http://secunia.com/advisories/59363
- http://www.securityfocus.com/bid/68093
- http://www.securitytracker.com/id/1030439
- http://zerodayinitiative.com/advisories/ZDI-14-208/
- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04341295
CWEs
CWE-287
Verify integrity in audit chain (admin only). AS-IS.