Vulnerability Note VU#436214

Attachmate Verastream Host Integrator (VHI) allows arbitrary file upload and execution

Original Release date: 04 Nov 2013 | Last revised: 19 Nov 2013


The Attachmate Verastream Host Integrator (VHI) is vulnerable to arbitrary file uploads and execution.


CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - CVE-2013-3626

The Attachmate VHI Session Server, on all platforms, allows unauthenticated remote attackers to write arbitrary files on the machine in which the product is installed by sending a specially crafted message to the VHI Session Server. The affected versions are:

  • 7.5 SP 1 HF 1
  • 7.5 SP 1
  • 7.5
  • 7.1 SP 2 HF 1 - 6
  • 7.1 SP 2
  • 7.1 SP 1
  • 7.1
  • 7.0
  • 6.6
  • 6.5
  • 6.0

  • Impact

    An attacker may be able to gain complete control of the server on which the application is installed.


    Apply a Hotfix
    Attachmate has released a hotfix to address this issue while a patch is being developed. The hotfix can be found at:

    Vendor Information (Learn More)

    VendorStatusDate NotifiedDate Updated
    AttachmateAffected02 Oct 201310 Oct 2013
    If you are a vendor and your product is affected, let us know.

    CVSS Metrics (Learn More)

    Group Score Vector
    Base 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C
    Temporal 7.5 E:POC/RL:TF/RC:C
    Environmental 1.9 CDP:N/TD:L/CR:ND/IR:ND/AR:ND



    Thanks to Arnold Geels of Attachmate for reporting this vulnerability.

    This document was written by Chris King.

    Other Information

    • CVE IDs: CVE-2013-3626
    • Date Public: 04 Nov 2013
    • Date First Published: 04 Nov 2013
    • Date Last Updated: 19 Nov 2013
    • Document Revision: 12


    If you have feedback, comments, or additional information about this vulnerability, please send us email.