Marvell QConvergeConsole Directory Traversal Vulnerability Leading to Arbitrary File Deletion and Information Disclosure

A directory traversal vulnerability has been identified in Marvell QConvergeConsole, specifically within the QLogicDownloadImpl class. This vulnerability allows remote attackers to delete arbitrary files and disclose sensitive information on affected systems. The issue arises from inadequate validation of user-supplied paths before they are used in file operations, enabling attackers to manipulate file deletions and information disclosure. Notably, this vulnerability can be exploited without authentication, and it affects installations of Marvell QConvergeConsole that are prior to version 5.5.0.85.

Impact

Exploitation of this vulnerability allows for arbitrary file deletion and unauthorized information disclosure, with the leaked information accessible in the context of the SYSTEM user.

Remediation

Marvell QConvergeConsole has reached its End of Life and End of Support status, with the last version released being 5.5.0.85 in January 2022. The vendor no longer supports or recommends this tool.