Vibe Arbitrary File Download (CVE-2017-7433)

  • 7019005
  • 17-May-2017
  • 17-May-2017


Micro Focus Vibe 4.0.2 (and earlier)


An absolute path traversal vulnerability (CWE-36) in Micro Focus Vibe 4.0.2 and earlier allows a remote authenticated attacker to download arbitrary files from the server by submitting a specially crafted request to the viewFile endpoint. Note that the attack can be performed without authentication if Guest access is enabled (Guest access is disabled by default).


A fix for this issue is available in Micro Focus Vibe 4.0.3.

Additional Information

CVE-2017-7433 (More details:

Special thanks to Kacper Szurek ( for reporting this issue.