Hitachi Content Platform Anywhere (HCP-AW) 4.4.5 and Later Allows Information Disclosure
Content

Priority:   High 

Status:  Resolved 

 

First Published: 2021, September 30

Advisory Version: [1.0]

References: CVE-2021-41573

Summary

If an authenticated user creates a link to a file or folder while the system was running version 4.3.x or earlier and then shares the link and then later deletes the file or folder without deleting the link and before the link expires. If the system has been upgraded to version 4.4.5 or 4.5.0 a malicious user with the link could browse and download all files of the authenticated user that created the link .

Affected Products

Vulnerable Products

The following matrix lists Hitachi Vantara products and solutions which have been confirmed to be affected by either of these vulnerabilities. If a Fixed Release Version is accompanied by a future date, the date is the best estimate we can provide based on current information and mitigation testing progress. If no Fixed Release Version is indicated for an affected product, Hitachi Vantara is continuing to evaluate the fix, and will update this advisory as additional information becomes available.

Product Fixed Release Version
Content Products
Content Platform Anywhere 4.4.6 - 2021 Oct 8;   4.5.1 - 2021 Oct 12

 

Products Confirmed Not Vulnerable

At the time of this advisory's publication, only products listed in the Vulnerable Products section above are confirmed to be affected by this vulnerability.

 

Recommended Actions

Please continue to check this Security Advisory, as new information will be added to it as it becomes available.

Users and administrators are encouraged to upgrade to fixed version.

Pending the release of the fixed versions of HCP AW, please follow the recommended action at https://support.hitachivantara.com/e...021091701.html

If any of the information presented above remains unclear, please contact the Hitachi Vantara Global Support Center, or your Vantara-authorized service and support provider.

The information contained herein is for informational purposes only. It is not intended as a guaranty or warranty about Hitachi Vantara’s products, including any guaranty or warranty that any product cannot be exploited by third parties. All product warranties and obligations to a customer must be specified in a mutually acceptable and executed contract between the parties.

Attachments
CXone Metadata
CVE; CVE-2021-41573