CVE-2014-7883
Description
HP Universal CMDB Probe versions 9.05, 10.01, and 10.11 enable the HTTP TRACE method, allowing remote attackers to read sensitive information from HTTP headers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
HP Universal CMDB Probe versions 9.05, 10.01, and 10.11 enable the HTTP TRACE method, allowing remote attackers to read sensitive information from HTTP headers.
Vulnerability
HP Universal CMDB (UCMDB) Probe versions 9.05, 10.01, and 10.11 enable the HTTP TRACE method on the embedded web server. The HTTP TRACE method, as defined in RFC 2616, echoes the client's request back in the response body, including all HTTP headers. This configuration exposes the server to information disclosure via the TRACE verb.
Exploitation
An attacker can send an HTTP TRACE request to the UCMDB Probe. The server responds with the original request headers, which may contain sensitive data such as cookies, authentication tokens, or other credentials. No authentication or special privileges are required to send the TRACE request. The attack can be performed remotely over the network. When combined with cross-domain browser vulnerabilities, this technique (known as Cross-Site Tracing or XST) can be used to steal cookies from third-party domains, as described in [1].
Impact
Successful exploitation allows a remote attacker to read sensitive information from HTTP headers, including session cookies and authentication data. This can lead to session hijacking, credential theft, and further compromise of the UCMDB system or associated applications. The impact is limited to information disclosure, but the stolen data can be leveraged for more severe attacks.
Mitigation
No specific fix is mentioned in the available references [1]. The recommended mitigation is to disable the HTTP TRACE method on the web server component of the UCMDB Probe. This can typically be achieved by modifying the web server configuration to reject TRACE requests. Administrators should consult HP documentation for the appropriate configuration steps for their version.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4cpe:2.3:a:hp:universal_configuration_management_database:10.01:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:hp:universal_configuration_management_database:10.01:*:*:*:*:*:*:*
- cpe:2.3:a:hp:universal_configuration_management_database:10.11:*:*:*:*:*:*:*
- cpe:2.3:a:hp:universal_configuration_management_database:9.05:*:*:*:*:*:*:*
- Range: 9.05, 10.01, 10.11
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
3- www.kb.cert.org/vuls/id/867593nvdThird Party AdvisoryUS Government Resource
- www.securitytracker.com/id/1031688nvdThird Party AdvisoryVDB Entry
- h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplaynvdNot Applicable
News mentions
0No linked articles in our index yet.