CVE-2011-4404 – VMware - Update Manager Directory Traversal

https://notcve.org/view.php?id=CVE-2011-4404

The default configuration of the HTTP server in Jetty in vSphere Update Manager in VMware vCenter Update Manager 4.0 before Update 4 and 4.1 before Update 2 allows remote attackers to conduct directory traversal attacks and read arbitrary files via unspecified vectors, a related issue to CVE-2009-1523. La configuración por defecto del servidor HTTP en Jetty en vSphere Update Manager bajo VMware vCenter Update Manager v4.0 antes de la actualización 4 y v4.1 antes de la actualización 2 permite realizar ataques de salto de directorio y leer archivos arbitrarios a atacantes remotos a través de vectores no especificados. Se trata de un problema relacionado con CVE-2009 -1523. VMware Update Manager versions 4.1 prior to update 2 suffer from a directory traversal vulnerability. • https://www.exploit-db.com/exploits/18138 http://jetty.codehaus.org/jetty/jetty-6/xref/org/mortbay/jetty/handler/ResourceHandler.html http://jetty.codehaus.org/jetty/jetty-6/xref/org/mortbay/jetty/servlet/DefaultServlet.html http://www.securitytracker.com/id?1026341 http://www.vmware.com/security/advisories/VMSA-2011-0014.html https://www.vmware.com/security/advisories/VMSA-2011-0014.html http://dsecrg.com/pages/vul/show.php?id=342 • CWE-16: Configuration •