CVE-2019-3474

Path traversal vulnerability in Filr web application

Severity Score

6.5

*CVSS v3

Exploit Likelihood

3.6%

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A path traversal vulnerability in the web application component of Micro Focus Filr 3.x allows a remote attacker authenticated as a low privilege user to download arbitrary files from the Filr server. This vulnerability affects all versions of Filr 3.x prior to Security Update 6.

Una vulnerabilidad de salto de directorio en el componente de aplicación web de Micro Focus Filr, en versiones 3.x, permite que un atacante remoto autenticado como usuario con pocos privilegios descargue archivos arbitrarios del servidor Filr. Esta vulnerabilidad afecta a todas las versiones 3.x de Filr anteriores al Security Update 6.

Micro Focus Filr version 3.4.0.217 suffers from privilege escalation and path traversal vulnerabilities.

*Credits: This vulnerability was discovered and researched by Matias Choren from SecureAuth.

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-12-31 CVE Reserved
2019-02-20 CVE Published
2019-02-20 First Exploit
2024-08-04 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CAPEC

References (4)

URL	Tag	Source
https://download.novell.com/Download?buildid=nZ...	X_refsource_misc
https://support.microfocus.com/kb/doc.php?id=70...	X_refsource_misc

1 - 2 of 2

URL	Date	SRC
https://packetstorm.news/files/id/151803	2019-02-20
https://www.exploit-db.com/exploits/46450	2024-08-04

1 - 2 of 2

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions (6)

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Microfocus Search vendor "Microfocus"	Filr Search vendor "Microfocus" for product "Filr"	3.0 Search vendor "Microfocus" for product "Filr" and version "3.0"	-	Affected	in	Suse Search vendor "Suse"	Suse Linux Enterprise Server Search vendor "Suse" for product "Suse Linux Enterprise Server"	11 Search vendor "Suse" for product "Suse Linux Enterprise Server" and version "11"	-	Safe
Microfocus Search vendor "Microfocus"	Filr Search vendor "Microfocus" for product "Filr"	3.0 Search vendor "Microfocus" for product "Filr" and version "3.0"	update_1	Affected	in	Suse Search vendor "Suse"	Suse Linux Enterprise Server Search vendor "Suse" for product "Suse Linux Enterprise Server"	11 Search vendor "Suse" for product "Suse Linux Enterprise Server" and version "11"	-	Safe
Microfocus Search vendor "Microfocus"	Filr Search vendor "Microfocus" for product "Filr"	3.0 Search vendor "Microfocus" for product "Filr" and version "3.0"	update_2	Affected	in	Suse Search vendor "Suse"	Suse Linux Enterprise Server Search vendor "Suse" for product "Suse Linux Enterprise Server"	11 Search vendor "Suse" for product "Suse Linux Enterprise Server" and version "11"	-	Safe
Microfocus Search vendor "Microfocus"	Filr Search vendor "Microfocus" for product "Filr"	3.0 Search vendor "Microfocus" for product "Filr" and version "3.0"	update_3	Affected	in	Suse Search vendor "Suse"	Suse Linux Enterprise Server Search vendor "Suse" for product "Suse Linux Enterprise Server"	11 Search vendor "Suse" for product "Suse Linux Enterprise Server" and version "11"	-	Safe
Microfocus Search vendor "Microfocus"	Filr Search vendor "Microfocus" for product "Filr"	3.0 Search vendor "Microfocus" for product "Filr" and version "3.0"	update_4	Affected	in	Suse Search vendor "Suse"	Suse Linux Enterprise Server Search vendor "Suse" for product "Suse Linux Enterprise Server"	11 Search vendor "Suse" for product "Suse Linux Enterprise Server" and version "11"	-	Safe
Microfocus Search vendor "Microfocus"	Filr Search vendor "Microfocus" for product "Filr"	3.0 Search vendor "Microfocus" for product "Filr" and version "3.0"	update_5	Affected	in	Suse Search vendor "Suse"	Suse Linux Enterprise Server Search vendor "Suse" for product "Suse Linux Enterprise Server"	11 Search vendor "Suse" for product "Suse Linux Enterprise Server" and version "11"	-	Safe

1 - 6 of 6