A directory traversal vulnerability in Hewlett Packard Enterprise Insight Remote Support may allow remote code execution.
The vulnerability consists of improper validation of file paths (path traversal, CWE-22), which allows an attacker to escape the allowed directory and gain access to arbitrary file system resources. Also classified as CWE-552 (Files or Directories Accessible to External Parties), suggesting the possibility of reading or writing system files through the network interface. Exploitation of the vulnerability does not require authentication or user interaction, and the attack can be conducted remotely over the network.
Successful exploitation of the vulnerability may lead to complete remote code execution (RCE) on the affected system, and consequently to takeover of server control, violation of data confidentiality and integrity, and disruption of service availability.
Patches available from the vendor should be applied in accordance with the references — details in the official HPE bulletin: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04731en_us
HPE Insight Remote Support — versions specified in vendor references (HPE SBGN04731 document)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HHPE Insight Remote Support
APPHpe< 7.14.0.629
Related vulnerabilities
RCE w HPE Insight Remote Support — krytyczna podatność zdalna
A vulnerability in HPE Insight Remote Support (IRS) prior to v7.15.0.646 may allow an unauthenticated denial o...
A path traversal vulnerability exists in HPE Insight Remote Support (IRS) prior to v7.15.0.646.
An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to d...
An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to d...