The (1) bin/invscoutClient_VPD_Survey and (2) sbin/invscout_lsvpd programs in invscout.rte before 2.2.0.19 on IBM AIX 7.1, 6.1, 5.3, and earlier allow local users to delete arbitrary files, or trigger inventory scout operations on arbitrary files, via a symlink attack on an unspecified file.
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Invscout.rte | Ibm | * | 2.2.0.18 (including) |
| Invscout.rte | Ibm | 2.2.0.2 (including) | 2.2.0.2 (including) |
| Invscout.rte | Ibm | 2.2.0.4 (including) | 2.2.0.4 (including) |
| Invscout.rte | Ibm | 2.2.0.7 (including) | 2.2.0.7 (including) |
| Invscout.rte | Ibm | 2.2.0.8 (including) | 2.2.0.8 (including) |
| Invscout.rte | Ibm | 2.2.0.9 (including) | 2.2.0.9 (including) |
| Invscout.rte | Ibm | 2.2.0.10 (including) | 2.2.0.10 (including) |
| Invscout.rte | Ibm | 2.2.0.11 (including) | 2.2.0.11 (including) |
| Invscout.rte | Ibm | 2.2.0.12 (including) | 2.2.0.12 (including) |
| Invscout.rte | Ibm | 2.2.0.13 (including) | 2.2.0.13 (including) |
| Invscout.rte | Ibm | 2.2.0.14 (including) | 2.2.0.14 (including) |
| Invscout.rte | Ibm | 2.2.0.15 (including) | 2.2.0.15 (including) |
| Invscout.rte | Ibm | 2.2.0.17 (including) | 2.2.0.17 (including) |