Critical Vulnerabilities Patched in OpenText PVCS Version Manager

CVE-2024-1147 and CVE-2024-1148

Recently, Micro Focus has addressed two serious vulnerabilities in OpenText PVCS Version Manager, a widely used version control system. These flaws, tracked as CVE-2024-1147 and CVE-2024-1148, could allow attackers to upload and download sensitive files from affected servers without authentication. Both vulnerabilities carry a high CVSS score of 9.8, underscoring the potential severity.

CVE-2024-1147 and CVE-2024-1148

Understanding the Vulnerabilities

The vulnerabilities stem from insufficient access control mechanisms in specific components of PVCS Version Manager. This weakness leaves the system open to the following attacks:

  • Unauthorized File Upload: Attackers could exploit the flaws to upload malicious files to the server, potentially compromising the system or launching attacks on other connected devices.
  • Unauthorized File Download: The vulnerabilities could enable attackers to download confidential source code or sensitive data, posing risks of intellectual property theft or data breaches.

Patch Available, Upgrade Essential

Micro Focus released a patch (PVCS Version Manager 8.6.3.3) in September 2023 that effectively addresses these vulnerabilities. Organizations utilizing PVCS Version Manager are strongly advised to install this patch as soon as possible.

Additional Security Measure

Micro Focus further recommends enabling the “Path Map Security” feature within PVCS Version Manager. This configuration option is detailed in the “Configuring Path Map Security Options” section of their Administrator’s Guide and adds an extra layer of protection.

Why This Matters

Version control systems like PVCS Version Manager hold the keys to an organization’s software development efforts. Compromising such a system could have far-reaching consequences, including:

  • Source Code Exposure: Loss of valuable intellectual property
  • Data Theft: Compromise of sensitive information
  • System Disruption: Potential for malware spreading within the development network

The Takeaway

This advisory highlights the importance of timely software updates, especially for critical infrastructure components. Organizations using OpenText PVCS Version Manager should prioritize patching and consider implementing additional security controls for robust protection.