ID
VAR-201401-0706
CVE
CVE-2014-125125
TITLE
A10 Networks AX ADC 'filename' Parameter Directory Traversal Vulnerability
Trust: 0.9
DESCRIPTION
A path traversal vulnerability exists in A10 Networks AX Loadbalancer versions 2.6.1-GR1-P5, 2.7.0, and earlier. The vulnerability resides in the handling of the filename parameter in the /xml/downloads endpoint, which fails to properly sanitize user input. An unauthenticated attacker can exploit this flaw by sending crafted HTTP requests containing directory traversal sequences to read arbitrary files outside the intended directory. The files returned by the vulnerable endpoint are deleted from the system after retrieval. This can lead to unauthorized disclosure of sensitive information such as SSL certificates and private keys, as well as unintended file deletion. The A10 Networks AX ADC failed to properly process the 'filename' parameter data, allowing remote attackers to exploit the vulnerability to submit a special directory traversal sequence to view system file content with WEB privileges. A10 Networks AX ADC is an application delivery controller from A10 Networks. An attacker could use this loophole to traverse characters ('..') to access arbitrary files containing sensitive information. Information harvested may aid in launching further attacks
Trust: 2.25
IOT TAXONOMY
| category: | ['Network device'] | sub_category: | - | Trust: 0.6 |
AFFECTED PRODUCTS
| vendor: | a10 | model: | networks ax adc build | scope: | eq | version: | 2.7.0217 | Trust: 0.6 |
| vendor: | a10 | model: | networks ax adc build | scope: | eq | version: | 2.7217 | Trust: 0.3 |
| vendor: | a10 | model: | networks ax adc gr1-p5 | scope: | eq | version: | 2.6.1 | Trust: 0.3 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | |||||||||||||||||||||||||||||||||||||||||||||||
|
|
PROBLEMTYPE DATA
| problemtype: | CWE-22 | Trust: 1.0 |
| problemtype: | CWE-706 | Trust: 1.0 |
THREAT TYPE
remote
Trust: 0.6
TYPE
path traversal
Trust: 0.6
PATCH
| title: | A10 Networks AX ADC 'filename' parameter directory traversal vulnerability patch | url: | https://www.cnvd.org.cn/patchInfo/show/43542 | Trust: 0.6 |
EXTERNAL IDS
| db: | EXPLOIT-DB | id: | 31261 | Trust: 1.6 |
| db: | BID | id: | 65206 | Trust: 1.5 |
| db: | NVD | id: | CVE-2014-125125 | Trust: 1.0 |
| db: | CNVD | id: | CNVD-2014-00908 | Trust: 0.6 |
| db: | CNNVD | id: | CNNVD-201402-381 | Trust: 0.6 |
REFERENCES
| url: | https://www.exploit-db.com/exploits/31261 | Trust: 1.0 |
| url: | https://www.vulncheck.com/advisories/a10-networks-ax-loadbalancer-path-traversal | Trust: 1.0 |
| url: | https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/scanner/http/a10networks_ax_directory_traversal.rb | Trust: 1.0 |
| url: | http://www.exploit-db.com/exploits/31261/ | Trust: 0.6 |
| url: | http://www.securityfocus.com/bid/65206 | Trust: 0.6 |
| url: | http://www.a10networks.com/products/axseries_adc.php | Trust: 0.3 |
CREDITS
xistence
Trust: 0.9
SOURCES
| db: | CNVD | id: | CNVD-2014-00908 |
| db: | BID | id: | 65206 |
| db: | CNNVD | id: | CNNVD-201402-381 |
| db: | NVD | id: | CVE-2014-125125 |
LAST UPDATE DATE
2025-08-02T23:17:00.775000+00:00
SOURCES UPDATE DATE
| db: | CNVD | id: | CNVD-2014-00908 | date: | 2014-02-14T00:00:00 |
| db: | BID | id: | 65206 | date: | 2014-01-28T00:00:00 |
| db: | CNNVD | id: | CNNVD-201402-381 | date: | 2014-02-28T00:00:00 |
| db: | NVD | id: | CVE-2014-125125 | date: | 2025-07-31T18:42:37.870 |
SOURCES RELEASE DATE
| db: | CNVD | id: | CNVD-2014-00908 | date: | 2014-02-14T00:00:00 |
| db: | BID | id: | 65206 | date: | 2014-01-28T00:00:00 |
| db: | CNNVD | id: | CNNVD-201402-381 | date: | 2014-01-28T00:00:00 |
| db: | NVD | id: | CVE-2014-125125 | date: | 2025-07-31T15:15:35.063 |