Sign-up

ID

VAR-201412-0596


CVE

CVE-2014-7285


TITLE

Symantec Web Gateway Any management console running on the appliance OS Command execution vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-007274

DESCRIPTION

The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts. Supplementary information : CWE Vulnerability type by CWE-77: Improper Neutralization of Special Elements used in a Command ( Command injection ) Has been identified. Symantec Web Gateway is prone to a command-injection vulnerability. Successfully exploiting this issue may allow an attacker to execute arbitrary OS commands in the context of the affected appliance. Versions prior to Symantec Web Gateway 5.2.2 are vulnerable. Symantec Web Gateway (SWG) is a set of network content filtering software developed by Symantec Corporation of the United States. The software provides web content filtering, data loss prevention, and more

Trust: 1.98

sources: NVD: CVE-2014-7285 // JVNDB: JVNDB-2014-007274 // BID: 71620 // VULHUB: VHN-75230

AFFECTED PRODUCTS

vendor:symantecmodel:web gatewayscope:lteversion:5.2.1

Trust: 1.0

vendor:symantecmodel:web gatewayscope:ltversion:5.2.2

Trust: 0.8

vendor:symantecmodel:web gatewayscope:eqversion:5.2.1

Trust: 0.6

vendor:symantecmodel:web gatewayscope:eqversion:5.0.3

Trust: 0.3

vendor:symantecmodel:web gatewayscope:eqversion:5.0.1

Trust: 0.3

vendor:symantecmodel:web gatewayscope:eqversion:5.0

Trust: 0.3

vendor:symantecmodel:web gatewayscope:eqversion:4.5.0.376

Trust: 0.3

vendor:symantecmodel:web gatewayscope:eqversion:4.5

Trust: 0.3

sources: BID: 71620 // JVNDB: JVNDB-2014-007274 // CNNVD: CNNVD-201412-374 // NVD: CVE-2014-7285

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-7285
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-7285
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201412-374
value: MEDIUM

Trust: 0.6

VULHUB: VHN-75230
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-7285
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-75230
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-75230 // JVNDB: JVNDB-2014-007274 // CNNVD: CNNVD-201412-374 // NVD: CVE-2014-7285

PROBLEMTYPE DATA

problemtype:CWE-77

Trust: 1.1

problemtype:CWE-Other

Trust: 0.8

sources: VULHUB: VHN-75230 // JVNDB: JVNDB-2014-007274 // NVD: CVE-2014-7285

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201412-374

TYPE

code injection

Trust: 0.6

sources: CNNVD: CNNVD-201412-374

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-007274

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-75230

PATCH
title:SYM14-016url:http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20141216_00
Trust: 0.8
title:SYM14-016url:http://www.symantec.com/ja/jp/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20141216_00
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2014-007274

EXTERNAL IDS
db:NVDid:CVE-2014-7285
Trust: 2.8
db:BIDid:71620
Trust: 2.0
db:SECTRACKid:1031386
Trust: 1.1
db:PACKETSTORMid:130612
Trust: 1.1
db:EXPLOIT-DBid:36263
Trust: 1.1
db:OSVDBid:116009
Trust: 1.1
db:JVNDBid:JVNDB-2014-007274
Trust: 0.8
db:CNNVDid:CNNVD-201412-374
Trust: 0.7
db:PACKETSTORMid:129780
Trust: 0.1
db:VULHUBid:VHN-75230
Trust: 0.1
sources:
            
            
            VULHUB: VHN-75230 // 
            
            
            
            BID: 71620 // 
            
            
            
            JVNDB: JVNDB-2014-007274 // 
            
            
            
            CNNVD: CNNVD-201412-374 // 
            
            
            
            NVD: CVE-2014-7285

REFERENCES
url:http://www.securityfocus.com/bid/71620
Trust: 1.7
url:http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20141216_00
Trust: 1.6
url:http://www.exploit-db.com/exploits/36263
Trust: 1.1
url:http://karmainsecurity.com/kis-2014-19
Trust: 1.1
url:http://packetstormsecurity.com/files/130612/symantec-web-gateway-5-restore.php-command-injection.html
Trust: 1.1
url:http://osvdb.org/show/osvdb/116009
Trust: 1.1
url:http://www.securitytracker.com/id/1031386
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-7285
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-7285
Trust: 0.8
url:http://www.symantec.com
Trust: 0.3
url:http://www.symantec.com/business/web-gateway
Trust: 0.3
url:http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20141216_00
Trust: 0.1
sources:
            
            
            VULHUB: VHN-75230 // 
            
            
            
            BID: 71620 // 
            
            
            
            JVNDB: JVNDB-2014-007274 // 
            
            
            
            CNNVD: CNNVD-201412-374 // 
            
            
            
            NVD: CVE-2014-7285

CREDITS
Egidio Romano of Secunia.
Trust: 0.3
sources:
            
            
            BID: 71620

SOURCES
db:VULHUBid:VHN-75230
db:BIDid:71620
db:JVNDBid:JVNDB-2014-007274
db:CNNVDid:CNNVD-201412-374
db:NVDid:CVE-2014-7285

LAST UPDATE DATE
2024-11-23T22:18:27.816000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-75230date:2017-01-03T00:00:00
db:BIDid:71620date:2015-01-06T00:03:00
db:JVNDBid:JVNDB-2014-007274date:2014-12-19T00:00:00
db:CNNVDid:CNNVD-201412-374date:2014-12-18T00:00:00
db:NVDid:CVE-2014-7285date:2024-11-21T02:16:41.050

SOURCES RELEASE DATE
db:VULHUBid:VHN-75230date:2014-12-17T00:00:00
db:BIDid:71620date:2014-12-16T00:00:00
db:JVNDBid:JVNDB-2014-007274date:2014-12-19T00:00:00
db:CNNVDid:CNNVD-201412-374date:2014-12-18T00:00:00
db:NVDid:CVE-2014-7285date:2014-12-17T16:59:00.067