Security Vulnerability - GroupWise 8 WebAccess Arbitrary File Download Vulnerability

  • 7007156
  • 04-Nov-2010
  • 26-Apr-2012


Novell GroupWise 8
Novell GroupWise 8 WebAccess Agent
Novell GroupWise 8 Document Viewer Agent
Previous versions of GroupWise are likely also vulnerable but are no longer supported. Customers on earlier versions of GroupWise should, at a minimum, upgrade their GWIAs and associated Domains to version 8.02HP in order to secure their system.


The GroupWise WebAccess Agent and Document Viewer Agent are vulnerable to an exploit that could potentially allow arbitrary files to be downloaded from the server.  Authentication is not required to exploit this vulnerability.

This vulnerability was discovered by Mehul Revankar, reported through Secunia (

Novell bugs 638644, 638646, CVE number pending


To resolve this security issue, update GroupWise WebAccess servers (the Document Viewer Agent is installed as part of the WebAccess setup) to version 8.02 Hot Patch (or later)


Security Alert

Bug Number

638644 638646