CVE-2021-32508
QSAN Storage Manager - UNIX Symbolic Link (Symlink) Following via FileStreaming function
In short
A flaw in QSAN Storage Manager allows authenticated users to read any file on the system by manipulating file paths with symbolic links. An attacker who has login access can exploit this to view sensitive files they shouldn't have permission to access.
Technical detail
Absolute path traversal vulnerability in the FileStreaming function allows authenticated remote attackers to bypass access controls via symbolic link injection through the URL path parameter. The vulnerability requires valid authentication credentials and enables arbitrary file disclosure on the affected system.
Summary generated and translated by AI from the official description.
Absolute Path Traversal vulnerability in FileStreaming in QSAN Storage Manager allows remote authenticated attackers access arbitrary files by injecting the Symbolic Link following the Url path parameter. The referred vulnerability has been solved with the updated version of QSAN Storage Manager v3.3.3.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected products
QSAN · Storage ManagerWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →