McAfee EPolicy Orchestrator Framework Service Directory Traversal Vulnerability

McAfee EPolicy Orchestrator Framework Service Directory Traversal Vulnerability

The McAfee ePolicy Orchestrator framework service is prone to a directory-traversal vulnerability that can lead to complete system compromise..

The application fails to sanitize user input when accepting POST requests on the '/spipe/pkg' interface. Specifically, the script fails to sanitize input for proper directory and filename, allowing an attacker to conduct a directory-traversal attack that can overwrite existing files or place arbitrary files on a vulnerable computer.

A successful exploit may allow unauthorized remote users to overwrite existing files or place arbitrary files on a vulnerable computer.