CVE-2016-5765: Infoleak
First published: Tue Nov 29 2016(Updated: )
Administrative Server in Micro Focus Host Access Management and Security Server (MSS) and Reflection for the Web (RWeb) and Reflection Security Gateway (RSG) and Reflection ZFE (ZFE) allows remote unauthenticated attackers to read arbitrary files via a specially crafted URL that allows limited directory traversal. Applies to MSS 12.3 before 12.3.326 and MSS 12.2 before 12.2.342 and RSG 12.1 before 12.1.362 and RWeb 12.3 before 12.3.312 and RWeb 12.2 before 12.2.342 and RWeb 12.1 before 12.1.362 and ZFE 2.0.1 before 2.0.1.18 and ZFE 2.0.0 before 2.0.0.52 and ZFE 1.4.0 before 1.4.0.14.
Credit: meissner@suse.de
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Microfocus Host Access Management And Security Server | =12.2 | |
| Microfocus Host Access Management And Security Server | =12.3 | |
| Microfocus Reflection For The Web | =12.1 | |
| Microfocus Reflection For The Web | =12.2 | |
| Microfocus Reflection For The Web | =12.3 | |
| Microfocus Reflection Security Gateway | =12.1 | |
| Microfocus Reflection ZFE | =1.4.0.14 | |
| Microfocus Reflection ZFE | =2.0.0.52 | |
| Microfocus Reflection ZFE | =2.0.1.18 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2016-5765?
CVE-2016-5765 is classified as a vulnerability that allows remote unauthenticated attackers to read arbitrary files, indicating a high severity risk.
How do I fix CVE-2016-5765?
To mitigate CVE-2016-5765, you should update to the latest versions of affected software: Micro Focus Host Access Management and Security Server, Reflection for the Web, Reflection Security Gateway, and Reflection ZFE.
What products are impacted by CVE-2016-5765?
CVE-2016-5765 affects Micro Focus Host Access Management and Security Server versions 12.2 and 12.3, Reflection for the Web versions 12.1, 12.2, and 12.3, Reflection Security Gateway version 12.1, and Reflection ZFE versions 1.4.0.14, 2.0.0.52, and 2.0.1.18.
Can CVE-2016-5765 be exploited remotely?
Yes, CVE-2016-5765 can be exploited by remote unauthenticated attackers.
What type of attack is CVE-2016-5765 associated with?
CVE-2016-5765 is associated with a file read vulnerability that allows attackers to access sensitive file information.
- agent/weakness
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/author
- agent/remedy
- agent/references
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/microfocus
- canonical/microfocus host access management and security server
- version/microfocus host access management and security server/12.2
- version/microfocus host access management and security server/12.3
- canonical/microfocus reflection for the web
- version/microfocus reflection for the web/12.1
- version/microfocus reflection for the web/12.2
- version/microfocus reflection for the web/12.3
- canonical/microfocus reflection security gateway
- version/microfocus reflection security gateway/12.1
- canonical/microfocus reflection zfe
- version/microfocus reflection zfe/1.4.0.14
- version/microfocus reflection zfe/2.0.0.52
- version/microfocus reflection zfe/2.0.1.18