CVE-2023-42000: 
Arcserve Unified Data Protection vulnerability analysis and mitigation

Arcserve UDP prior to version 9.2 contains a path traversal vulnerability (CVE-2023-42000) in com.ca.arcflash.ui.server.servlet.FileHandlingServlet.doUpload(). An unauthenticated remote attacker can exploit it to upload arbitrary files to any location on the file system where the UDP agent is installed. The vulnerability was discovered by Tenable researchers and privately disclosed to Arcserve in August 2023 (Tenable Research).

The vulnerability exists in the FileHandlingServlet.doUpload() component of Arcserve UDP. It allows path traversal that enables unauthorized file uploads to arbitrary locations on systems where the UDP agent is installed. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating it can be exploited remotely without authentication or user interaction (NVD).

If successfully exploited, this vulnerability allows attackers to upload malicious files to any location on the file system where the Arcserve UDP agent is installed. This could potentially lead to remote code execution and full system compromise, given the ability to place files in arbitrary locations (Help Net Security).

Arcserve has released version 9.2 of UDP to address this vulnerability. For environments unable to upgrade to UDP 9.2, manual patches are available for older supported versions: UDP 9.1 (P00002967), UDP 8.1 (P00002968), and Arcserve 7.0 Update 2 (P00002983). These patches must be run individually on each node (Tenable Research).