CVE-2022-34365

Vulnerability

CVE-2022-34365 is a path traversal vulnerability in the Device API component of Dell Wyse Management Suite (WMS) version 3.7 and earlier. The vulnerability arises from insufficient input validation of file paths supplied to the API, enabling an attacker to traverse outside the intended directory and access arbitrary files on the server filesystem with the privileges of the web application [1].

Exploitation

An attacker can exploit this vulnerability by sending specially crafted HTTP requests to the Device API endpoint, manipulating path parameters to include directory traversal sequences (e.g., ../). No authentication is required, as the API endpoint is accessible to unauthenticated users [1]. The attacker does not need any special network position beyond network access to the WMS server.

Impact

Successful exploitation allows an attacker to read arbitrary files from the server filesystem, including sensitive configuration files, credentials, or other data stored on the server. This results in unauthorized information disclosure, potentially leading to further compromise of the system [1].

Mitigation

Dell has released a security update (DSA-2022-134) to address this vulnerability. Users should upgrade to the latest version of Wyse Management Suite as specified in the advisory. No workarounds are documented; applying the patch is the recommended mitigation [1].