In Team82's joint research with Snyk, we examined 16 URL parsing libraries, written in a variety of programming languages, and noticed some inconsistencies with how each chooses to parse a given URL to its basic components. We categorized the types of inconsistencies into five categories, and searched for problematic code flows in web applications and open source libraries that exposed a number of vulnerabilities.
CWE-23 RELATIVE PATH TRAVERSAL:
An 'Arbitary File Deletion' in Samsung DMS (Data Management Server) allows attackers to delete arbitary files from unintended locations on the filesystem. Exploitation is restricted to specific, authorized private IP addresses.
Samsung recommends users to contact a Samsung call center or installer for a software update.
This product is not intended to be connected to the Internet, so please disconnect it from the Internet. Refer to the following statement in the manual: "Use this product only in a separate dedicated network. Samsung Electronics is not liable for any problems caused by connecting it to the Internet or an intranet."
CVSS v3: 8.1
CWE-22 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL'):
An 'Arbitary File Creation' in Samsung DMS (Data Management Server) allows attackers to create arbitary files in unintended locations on the filesystem. Exploitation is restricted to specific, authorized private IP addresses.
Samsung recommends users to contact a Samsung call center or installer for a software update.
This product is not intended to be connected to the Internet, so please disconnect it from the Internet. Refer to the following statement in the manual: "Use this product only in a separate dedicated network. Samsung Electronics is not liable for any problems caused by connecting it to the Internet or an intranet."
CVSS v3: 7.2
CWE-22 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY PATHNAME TO A A RESTRICTED DIRECTORY ('PATH TRAVERSAL'):
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Samsung DMS (Data Management Server) allows authenticated attackers to create arbitary files in unintended locations on the filesystem.
Samsung recommends users to contact a Samsung call center or installer for a software update.
This product is not intended to be connected to the Internet, so please disconnect it from the Internet. Refer to the following statement in the manual: "Use this product only in a separate dedicated network. Samsung Electronics is not liable for any problems caused by connecting it to the Internet or an intranet."
CVSS v3: 7.1
CWE-36 ABSOLUTE PATH TRAVERSAL:
Absolute Path Traversal in Samsung DMS (Data Management Server) allows authenticated attacker (Administrator) to read sensitive files.
Samsung recommends users to contact a Samsung call center or installer for a software update.
This product is not intended to be connected to the Internet, so please disconnect it from the Internet. Refer to the following statement in the manual: "Use this product only in a separate dedicated network. Samsung Electronics is not liable for any problems caused by connecting it to the Internet or an intranet."
CVSS v3: 4.9
CWE-502 DESERIALIZATION OF UNTRUSTED DATA:
Deserialization of Untrusted Data in Samsung DMS (Data Management Server) allows attackers to execute arbitary code via write file to system.
Samsung recommends users to contact a Samsung call center or installer for a software update.
This product is not intended to be connected to the Internet, so please disconnect it from the Internet. Refer to the following statement in the manual: "Use this product only in a separate dedicated network. Samsung Electronics is not liable for any problems caused by connecting it to the Internet or an intranet."
CVSS v3: 8.0
