CVE-2022-29097

Vulnerability

A path traversal vulnerability exists in the Device API of Dell Wyse Management Suite (WMS) versions 3.6.1 and below. The flaw is present in proprietary code and allows an attacker to manipulate file paths via the API, leading to unauthorized file access on the server filesystem [1].

Exploitation

An attacker must be authenticated with high privileges (e.g., administrative access) and have network connectivity to the WMS server. By sending a specially crafted HTTP request to the vulnerable Device API endpoint with path traversal sequences (e.g., ../), the attacker can navigate outside the intended directory and read arbitrary files [1].

Impact

Successful exploitation grants the attacker read access to files stored on the server filesystem, with the privileges of the running web application. This results in a high confidentiality impact, potentially exposing sensitive configuration files, credentials, or other data. No integrity or availability impact is expected [1].

Mitigation

Dell has released a security update addressing this vulnerability as part of DSA-2022-143. Users should upgrade to the latest version of Wyse Management Suite as recommended in the advisory. No workarounds have been provided [1].