Today EMC released a note related to a vulnerability that affect the Documentum D2 client.
The CVE vulnerability identifier is CVE-2014-2504 (score 8.5). The affected products are
- EMC Documentum D2 3.1 and patch versions
- EMC Documentum D2 3.1SP1 and patch versions
- EMC Documentum D2 4.0 and patch versions
- EMC Documentum D2 4.1 and patch versions
- EMC Documentum D2 4.2 and patch versions
In particular EMC Documentum D2 may be vulnerable to an arbitrary Documentum Query Language (DQL) query execution vulnerability because there are methods and a D2FS web service method that may allow an authenticated user to execute arbitrary DQL queries with superuser privileges. For this reason an upgrade to the latest patch is strongly recommended.
The following products contain the resolution to this issue