CVE-2024-25659 Unauthorized SFTP File Modifications in TNMS Installation Folders
Public disclosure |
03-06-2025 |
|---|---|
Last updated |
03-06-2025 |
Vulnerability type |
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) |
CVSS vector |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
CVSS score |
7.2 |
Description
In Infinera TNMS (Transcend Network Management System), an insecure default configuration of the internal SFTP server allows a low-privileged SFTP user to perform unauthorized modifications to the TNMS installation folders.
This vulnerability could lead to unauthorized changes and potential disruption of the TNMS services.
Affected products and versions
All versions before TNMS V21.10 release.
Mitigation plan
By default, the internal SFTP user that is used to transfer files between the NE network and TNMS applications has permissions to access TNMS related folders. To mitigate this vulnerability, the TNMS SFTP user should be restricted to access only the application data folders, and additionally, forbidden to login into the system.
Please follow the chapter 7.5.2 Restricting the TNMS SFTP User chapter to restrict the TNMS SFTP user access (for version 21.00 consult the WU05 FSB).
References
Change history : Initial version is published on 03-06-2025