ZDI-23-1495: A10 Thunder ADC ShowTechDownloadView Directory Traversal Information Disclosure Vulnerability
First published: Wed Oct 04 2023(Updated: )
This vulnerability allows remote attackers to disclose sensitive information on affected installations of A10 Thunder ADC. Authentication is required to exploit this vulnerability. The specific flaw exists within the ShowTechDownloadView class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the service account.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| A10 Thunder ADC |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of ZDI-23-1495?
The severity of ZDI-23-1495 is classified as medium due to potential sensitive information disclosure.
How do I fix ZDI-23-1495?
To fix ZDI-23-1495, update to the latest version of A10 Thunder ADC that addresses this vulnerability.
What kind of attacks can exploit ZDI-23-1495?
ZDI-23-1495 can be exploited by authenticated remote attackers to disclose sensitive information.
What component is affected by ZDI-23-1495?
ZDI-23-1495 specifically affects the ShowTechDownloadView class within A10 Thunder ADC.
Is authentication required to exploit ZDI-23-1495?
Yes, authentication is required to exploit the vulnerability identified by ZDI-23-1495.
- collector/zdi-published
- alias/ZDI-CAN-17899
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/references
- agent/severity
- agent/title
- agent/description
- collector/zdi-advisory
- source/ZDI
- alias/ZDI-23-1495
- alias/CVE-2023-42129
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- agent/event
- agent/source
- vendor/a10
- canonical/a10 thunder adc