First published: Fri Feb 19 2010(Updated: )
Accellion Secure File Transfer Appliance before 8_0_105 does not properly restrict access to sensitive commands and arguments that run with extra sudo privileges, which allows local administrators to gain privileges via (1) arbitrary arguments in the --file_move action in /usr/local/bin/admin.pl, or a hard link attack in (2) chmod or (3) a certain cp command.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Accellion File Transfer Appliance | =7_0_296 | |
Accellion File Transfer Appliance | =7_0_178 | |
Accellion File Transfer Appliance | =7_0_135 | |
Accellion File Transfer Appliance | =7_0_259 | |
Accellion File Transfer Appliance | =7_0_189 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2009-4648 is considered a critical vulnerability due to the potential for local privilege escalation.
To fix CVE-2009-4648, update the Accellion Secure File Transfer Appliance to version 8_0_105 or later.
CVE-2009-4648 affects multiple versions of the Accellion Secure File Transfer Appliance prior to 8_0_105.
CVE-2009-4648 allows local administrators to execute arbitrary commands with elevated permissions.
There are no known workarounds for CVE-2009-4648; upgrading to the fixed version is recommended.