To exploit this vulnerability, an attacker must send a malicious request to the affected system. An exploit could allow the attacker to retrieve files from the local system or execute arbitrary commands with the privileges of the affected application. Although an exploit is unlikely to allow the attacker to directly gain complete control over the affected system, the attacker may be able to leverage the privileges of the service to cause the system to stop servicing authorized requests, resulting in an extended DoS condition. An attacker who can disclose the contents of the system's password file could perform an offline brute-force attack against the user accounts in that file.
The vendor-supplied information does not completely match the CVSS scores provided by the vendor. Given that the description discusses information disclosure, it would be appropriate for the CVSS score to rate a partial confidentiality score. The vendor also states that the information that can be obtained could let the attacker gain complete control of the targeted system, which is a secondary effect of the vulnerability and would normally not be reflected in the CVSS score. However, if it were so reflected, it would be complete for all three categories and the score provided by the vendor does not match in that regard, either.