McAfee ePolicy Orchestrator 4.6.x Multiple Vulnerabilities (SB10042)

high Nessus Plugin ID 66319

Synopsis

A security management application on the remote host has multiple vulnerabilities.

Description

According to its self-reported version, the version of McAfee ePolicy Orchestrator running on the remote host has the following vulnerabilities :

- An unspecified SQL injection vulnerability exists in the Agent-Handler component. A remote, unauthenticated attacker could exploit this to execute arbitrary code as root. (CVE-2013-0140)

- An unspecified directory traversal vulnerability exists in the file upload process. A remote, unauthenticated attacker could exploit this to upload arbitrary files.
(CVE-2013-0141)

Solution

Upgrade to ePolicy Orchestrator 4.6.6 / 5.0 or later.

See Also

https://kc.mcafee.com/corporate/index?page=content&id=SB10042

Plugin Details

Severity: High

ID: 66319

File Name: mcafee_epo_sb10042.nasl

Version: 1.10

Type: remote

Family: CGI abuses

Published: 5/4/2013

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.9

Temporal Score: 6.2

Vector: CVSS2#AV:A/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/a:mcafee:epolicy_orchestrator

Required KB Items: www/epo_app_server

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/26/2013

Vulnerability Publication Date: 4/26/2013

Reference Information

CVE: CVE-2013-0140, CVE-2013-0141

BID: 59500, 59505

CERT: 209131

MCAFEE-SB: SB10042