Thank you for your feedback



MarkVision Enterprise Input Validation Vulnerability Security Advisory

Document ID:TE667

Usergroup :External
  Languages  
  Properties  

Solution

Lexmark Security Advisory: 

Revision:  1.0
Last update: 9 December 2014
Public Release Date: 9 December 2014

                          

Summary

Input Validation vulnerability

MarkVision Enterprise contains a vulnerability that allows an unauthenticated remote attacker to download arbitrary files from the MarkVision Enterprise platform.

 

References

CVE: CVE-2014-8742 

Details

MarkVision Enterprise contains a servlet named “ReportDownloadServlet”. This servlet allows an unauthenticated remote attacker to download files from arbitrary locations on the MarkVision Enterprise server, including the ability access the authentication credentials for the MarkVision Enterprise database.

 

Vulnerability Scoring Details 

CVSS Base Score: 7.8    

Impact Subscore: 

6.9

Exploitability Subscore:

10

 

Exploitability: Impact:
Access Vector: Network Confidentiality: Complete
Access Complexity: Low Integrity: None
Authentication: None Availability: None

 CVSS scores are calculated in accordance with CVSS version 2.0 (http://www.first.org/cvss/cvss-guide.html)

 

 Workarounds


Lexmark recommends updating the application if you have a vulnerable version.
 
Please visit http://www.lexmark.com/markvision or contact the Lexmark Technical Support Center at 1-800-539-6275 for additional information.
 

Software Versions and Fixes
 
The vulnerability described in this advisory has been fixed in MarkVision Enterprise v2.1 and all future releases. All releases previous to v2.1 are vulnerable.
 
 
Obtaining Updated Software
 
To obtain MarkVision Enterprise v2.1, please visit http://www.lexmark.com/markvision.
 
 
Exploitation and Public Announcements

Lexmark is not aware of any malicious use of the vulnerability described in this advisory. 

 

Status of this Notice:

This document is provided on an "as is" basis and is provided without any express or implied guarantee or warranty whatsoever, including but not limited to the warranties of merchantability and fitness for a particular use or purpose. Lexmark reserves the right to change or update this document at any time.

 

Distribution

This advisory is posted on Lexmark’s web site at http://support.lexmark.com/alerts.

Future updates to this document will be posted on Lexmark’s web site at the same location.

 

Revision History  

Revision Date Reason
1.0

  9 - December - 2014

Initial Public Release


   

 

 

 

 



Link:
Please enter the email address you would like to send a copy of this page to.