An application on the remote web server has a directory traversal vulnerability.
The version of Jetty web server included with VMware vCenter Update Manager on the remote host has a directory traversal vulnerability. This is a variant of the issue previously addressed by VMware advisory VMSA-2010-0012. The web server runs as SYSTEM by default. A remote, unauthenticated attacker could exploit this to read arbitrary files from the host.
Upgrade to vCenter Update Manager 4.1 Update 2 / 4.0 Update 4 or later.