Vulnerability-Lookup

CNVD-2017-32977

Vulnerability from cnvd - Published: 2017-11-07

Title

Cisco License Manager Software目录遍历漏洞

Description

Cisco License Manager Software是美国思科（Cisco）公司的一套许可证书管理软件。该软件用于激活Cisco设备及软件，并在线获取设备许可证或产品秘钥。 Cisco License Manager Software中的Web界面存在目录遍历漏洞，该漏洞源于程序未能正确的过滤HTTP请求参数中用户的输入。远程攻击者可利用该漏洞下载并查看应用程序中的文件。

Severity

中

Patch Name

Cisco License Manager Software目录遍历漏洞的补丁

Patch Description

Formal description

用户可参考如下厂商提供的安全补丁以修复该漏洞： https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-clm

Reference

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-clm http://www.securityfocus.com/bid/101169

Impacted products

Name
Cisco License Manager 3.2.6

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "101169"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-12263"
    }
  },
  "description": "Cisco License Manager Software\u662f\u7f8e\u56fd\u601d\u79d1\uff08Cisco\uff09\u516c\u53f8\u7684\u4e00\u5957\u8bb8\u53ef\u8bc1\u4e66\u7ba1\u7406\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u7528\u4e8e\u6fc0\u6d3bCisco\u8bbe\u5907\u53ca\u8f6f\u4ef6\uff0c\u5e76\u5728\u7ebf\u83b7\u53d6\u8bbe\u5907\u8bb8\u53ef\u8bc1\u6216\u4ea7\u54c1\u79d8\u94a5\u3002\r\n\r\nCisco License Manager Software\u4e2d\u7684Web\u754c\u9762\u5b58\u5728\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u6b63\u786e\u7684\u8fc7\u6ee4HTTP\u8bf7\u6c42\u53c2\u6570\u4e2d\u7528\u6237\u7684\u8f93\u5165\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4e0b\u8f7d\u5e76\u67e5\u770b\u5e94\u7528\u7a0b\u5e8f\u4e2d\u7684\u6587\u4ef6\u3002",
  "discovererName": "rgod working with Trend Micro\u0027s Zero Day Initiative",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5382\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u8865\u4e01\u4ee5\u4fee\u590d\u8be5\u6f0f\u6d1e\uff1a\r\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-clm",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-32977",
  "openTime": "2017-11-07",
  "patchDescription": "Cisco License Manager Software\u662f\u7f8e\u56fd\u601d\u79d1\uff08Cisco\uff09\u516c\u53f8\u7684\u4e00\u5957\u8bb8\u53ef\u8bc1\u4e66\u7ba1\u7406\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u7528\u4e8e\u6fc0\u6d3bCisco\u8bbe\u5907\u53ca\u8f6f\u4ef6\uff0c\u5e76\u5728\u7ebf\u83b7\u53d6\u8bbe\u5907\u8bb8\u53ef\u8bc1\u6216\u4ea7\u54c1\u79d8\u94a5\u3002\r\n\r\nCisco License Manager Software\u4e2d\u7684Web\u754c\u9762\u5b58\u5728\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u6b63\u786e\u7684\u8fc7\u6ee4HTTP\u8bf7\u6c42\u53c2\u6570\u4e2d\u7528\u6237\u7684\u8f93\u5165\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4e0b\u8f7d\u5e76\u67e5\u770b\u5e94\u7528\u7a0b\u5e8f\u4e2d\u7684\u6587\u4ef6\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Cisco License Manager Software\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Cisco License Manager 3.2.6"
  },
  "referenceLink": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-clm\r\nhttp://www.securityfocus.com/bid/101169",
  "serverity": "\u4e2d",
  "submitTime": "2017-10-09",
  "title": "Cisco License Manager Software\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e"
}

CVE-2017-12263 (GCVE-0-2017-12263)

Vulnerability from cvelistv5 – Published: 2017-10-05 07:00 – Updated: 2024-08-05 18:28

Summary

A vulnerability in the web interface of Cisco License Manager software could allow an unauthenticated, remote attacker to download and view files within the application that should be restricted, aka Directory Traversal. The issue is due to improper sanitization of user-supplied input in HTTP request parameters that describe filenames. An attacker could exploit this vulnerability by using directory traversal techniques to submit a path to a desired file location. An exploit could allow the attacker to view application files that may contain sensitive information. Cisco Bug IDs: CSCvd83577.

Severity ?

No CVSS data available.

CWE

CWE-22

Assigner

cisco

References

URL

Tags

	http://www.securityfocus.com/bid/101169	vdb-entryx_refsource_BID
	https://tools.cisco.com/security/center/content/C…	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	n/a	Cisco License Manager	Affected: Cisco License Manager

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T18:28:16.811Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "101169",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/101169"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-clm"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Cisco License Manager",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Cisco License Manager"
            }
          ]
        }
      ],
      "datePublic": "2017-10-05T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in the web interface of Cisco License Manager software could allow an unauthenticated, remote attacker to download and view files within the application that should be restricted, aka Directory Traversal. The issue is due to improper sanitization of user-supplied input in HTTP request parameters that describe filenames. An attacker could exploit this vulnerability by using directory traversal techniques to submit a path to a desired file location. An exploit could allow the attacker to view application files that may contain sensitive information. Cisco Bug IDs: CSCvd83577."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-10-06T09:57:01",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "name": "101169",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/101169"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-clm"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@cisco.com",
          "ID": "CVE-2017-12263",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Cisco License Manager",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Cisco License Manager"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability in the web interface of Cisco License Manager software could allow an unauthenticated, remote attacker to download and view files within the application that should be restricted, aka Directory Traversal. The issue is due to improper sanitization of user-supplied input in HTTP request parameters that describe filenames. An attacker could exploit this vulnerability by using directory traversal techniques to submit a path to a desired file location. An exploit could allow the attacker to view application files that may contain sensitive information. Cisco Bug IDs: CSCvd83577."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-22"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "101169",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/101169"
            },
            {
              "name": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-clm",
              "refsource": "CONFIRM",
              "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-clm"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2017-12263",
    "datePublished": "2017-10-05T07:00:00",
    "dateReserved": "2017-08-03T00:00:00",
    "dateUpdated": "2024-08-05T18:28:16.811Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2017-32977

CVE-2017-12263 (GCVE-0-2017-12263)

Tags

Sightings

Nomenclature