CVE-2017-15014

OpenText Documentum Content Server - Arbitrary File Download

Severity Score

4.3

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

OpenText Documentum Content Server (formerly EMC Documentum Content Server) through 7.3 contains the following design gap, which allows authenticated users to download arbitrary content files regardless of the attacker's repository permissions: When an authenticated user uploads content to the repository, he performs the following steps: (1) calls the START_PUSH RPC-command; (2) uploads the file to the content server; (3) calls the END_PUSH_V2 RPC-command (here, Content Server returns a DATA_TICKET integer, intended to identify the location of the uploaded file on the Content Server filesystem); (4) creates a dmr_content object in the repository, which has a value of data_ticket equal to the value of DATA_TICKET returned at the end of END_PUSH_V2 call. As the result of this design, any authenticated user may create his own dmr_content object, pointing to already existing content in the Content Server filesystem.

OpenText Documentum Content Server (anteriormente conocido como EMC Documentum Content Server) hasta la versión 7.3 contiene el siguiente fallo de diseño, que permite que usuarios autenticados descarguen archivos de contenido arbitrario, independientemente de los permisos de repositorio del atacante: Cuando un usuario autenticado sube contenido al repositorio, lleva a cabo los siguientes pasos: (1) llama al comando RCP START_PUSH; (2) sube el archivo al servidor de contenido; (3) llama al comando RCP END_PUSH_V2 (aquí, Content Server devuelve un entero DATA_TICKET que debería identificar la localización del archivo subido en el sistema de archivos Content Server); (4) crea un objeto dmr_content en el repositorio, el cual tiene un valor de data_ticket igual al valor de DATA_TICKET devuelto al final de una llamada END_PUSH_V2. Como resultado de este diseño, cualquier usuario autenticado puede crear su propio objeto dmr_content, apuntando a contenido que ya existe en el sistema de archivos Content Server.

Opentext Documentum Content Server (formerly known as EMC Documentum Content Server) contains a design gap that allows authenticated user to download arbitrary content files regardless of the attacker's repository permissions.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-10-03 CVE Reserved
2017-10-13 CVE Published
2023-03-27 EPSS Updated
2024-08-05 CVE Updated
2024-08-05 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-269: Improper Privilege Management

CAPEC

References (3)

URL	Tag	Source
http://seclists.org/bugtraq/2017/Oct/19	Mailing List
http://www.securityfocus.com/bid/101639	Vdb Entry

URL	Date	SRC
https://www.exploit-db.com/exploits/43005	2024-08-05

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Opentext Search vendor "Opentext"		Documentum Content Server Search vendor "Opentext" for product "Documentum Content Server"				<= 7.3 Search vendor "Opentext" for product "Documentum Content Server" and version " <= 7.3"		-		Affected