CVE-2015-5970 ZCM ZENworks ChangePassword XPath Injection Information Disclosure Vulnerability

  • 7017240
  • 09-Feb-2016
  • 13-Jul-2016


Novell ZENworks Configuration Management 11.4
Novell ZENworks Configuration Management 11.3


This vulnerability allows remote attackers to exfiltrate arbitrary text files on vulnerable installations of Novell Zenworks. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the ChangePassword RPC method. By providing a malformed query, an attacker can combine a system entity reference with an XPath injection vulnerability to exfiltrate arbitrary text files from the system.
This issue has been found and reported by 'cpnrodzc7' working with HP's Zero Day Initiative (ZDI-16-167, CVE-2015-5970):


MicroFocus has released a patch to address this vulnerability.  The patches are for ZCM 11.4.x (11.4.1, 11.4.0) and 11.3.x, and they can be obtained from MicroFocus Support Patch Finder, or directly from the urls below:

Note that ZCM 11.4.2 already includes this patch, so this is no longer an issue on this version (or higher).