High severity7.8NVD Advisory· Published Sep 1, 2017· Updated May 13, 2026

CVE-2017-14105

Description

HiveManager Classic through 8.1r1 allows arbitrary JSP code execution by modifying a backup archive before a restore, because the restore feature does not validate pathnames within the archive. An authenticated, local attacker - even restricted as a tenant - can add a jsp at HiveManager/tomcat/webapps/hm/domains/$yourtenant/maps (it will be exposed at the web interface).

Affected products

Aerohive/Hivemanager Classic2 versions
cpe:2.3:a:aerohive:hivemanager_classic:8.0r1:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:aerohive:hivemanager_classic:8.0r1:*:*:*:*:*:*:*
- cpe:2.3:a:aerohive:hivemanager_classic:8.1r1:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

News mentions

No linked articles in our index yet.

cvss	0.507
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000