Title ----- DDIVRT-2012-42 Novell GroupWise Agents Arbitrary File Retrieval (CVE-2012-0419) Severity -------- High Date Discovered --------------- April 2, 2012 Discovered By ------------- Digital Defense, Inc. Vulnerability Research Team Credit: r@b13$ Vulnerability Description ------------------------- The HTTP interfaces for Novell GroupWise 8.0.2 Post Office Agent, Message Transfer Agent, and GroupWise Internet Agent are vulnerable to an arbitrary file retrieval condition due to a failure to properly filter certain crafted directory traversal sequences. An unauthenticated remote attacker can leverage this flaw to retrieve files with the privileges of the vulnerable agent. Solution Description -------------------- Novell has provided solutions for this issue in the form of GroupWise 8.0 SP3 as well as in the latest GroupWise 2012 SP1 release. http://www.novell.com/support/kb/doc.php?id=7010772 Tested Systems / Software ------------------------- Novell GroupWise 8.0.2 Post Office Agent Novell GroupWise 8.0.2 Message Transfer Agent Novell GroupWise 8.0.2 GroupWise Internet Agent Vendor Contact -------------- Vendor Name: Novell Vendor Website: http://www.novell.com/
