Lexmark Security Advisory:
| Revision: | 1.0 |
| Last update: | 9 December 2014 |
| Public Release Date: | 9 December 2014 |
Summary
Input Validation vulnerability
MarkVision Enterprise contains a vulnerability that allows an unauthenticated remote attacker to download arbitrary files from the MarkVision Enterprise platform.
References
CVE: CVE-2014-8742
Details
MarkVision Enterprise contains a servlet named “ReportDownloadServlet”. This servlet allows an unauthenticated remote attacker to download files from arbitrary locations on the MarkVision Enterprise server, including the ability access the authentication credentials for the MarkVision Enterprise database.
Vulnerability Scoring Details
| CVSS Base Score: | 7.8 |
Impact Subscore: | 6.9 |
Exploitability Subscore: | 10 |
| Exploitability: | Impact: |
| Access Vector: Network | Confidentiality: Complete |
| Access Complexity: Low | Integrity: None |
| Authentication: None | Availability: None |
CVSS scores are calculated in accordance with CVSS version 2.0 (http://www.first.org/cvss/cvss-guide.html)
Workarounds
http://www.lexmark.com/markvisionSoftware Versions and FixesObtaining Updated Softwarehttp://www.lexmark.com/markvisionExploitation and Public Announcements
Lexmark is not aware of any malicious use of the vulnerability described in this advisory.
Status of this Notice:
This document is provided on an "as is" basis and is provided without any express or implied guarantee or warranty whatsoever, including but not limited to the warranties of merchantability and fitness for a particular use or purpose. Lexmark reserves the right to change or update this document at any time.
Distribution
This advisory is posted on Lexmark’s web site at http://support.lexmark.com/alerts.
Future updates to this document will be posted on Lexmark’s web site at the same location.
Revision History
| Revision | Date | Reason |
| 1.0 | 9 - December - 2014 | Initial Public Release |
LEGACY ID: TE667
Escalation Item # ?
?