Details of VAR-201705-3652

ID

VAR-201705-3652

CVE

CVE-2017-6629

TITLE

Cisco Unity Connection Path traversal vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-003766

DESCRIPTION

A vulnerability in the ImageID parameter of Cisco Unity Connection 10.5(2) could allow an unauthenticated, remote attacker to access files in arbitrary locations on the filesystem of an affected device. The issue is due to improper sanitization of user-supplied input in HTTP POST parameters that describe filenames. An attacker could exploit this vulnerability by using directory traversal techniques to submit a path to a desired file location. Cisco Bug IDs: CSCvd90118. Cisco Unity Connection Contains a path traversal vulnerability. Vendors have confirmed this vulnerability Bug ID CSCvd90118 It is released as.Information may be obtained. Attackers can exploit this issue to gain unauthorized access to the affected application. This may aid in further attacks. The platform can use voice commands to make calls or listen to messages "hands-free". The 'ImageID' parameter in Cisco UC version 10.5(2) has an unauthorized access vulnerability. The vulnerability stems from the fact that the program does not properly filter the input submitted by the user in the HTTP POST parameter

Trust: 1.98

sources: NVD: CVE-2017-6629 // JVNDB: JVNDB-2017-003766 // BID: 98286 // VULHUB: VHN-114832

AFFECTED PRODUCTS

vendor:	cisco	model:	unity connection	scope:	eq	version:	10.5\(2\)	Trust: 1.6
vendor:	cisco	model:	unity connection	scope:	eq	version:	10.5(2)	Trust: 0.8
vendor:	cisco	model:	unity connection	scope:	eq	version:	0	Trust: 0.3

sources: BID: 98286 // JVNDB: JVNDB-2017-003766 // CNNVD: CNNVD-201705-202 // NVD: CVE-2017-6629

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-6629
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-6629
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201705-202
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-114832
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-6629
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-114832
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-6629
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-114832 // JVNDB: JVNDB-2017-003766 // CNNVD: CNNVD-201705-202 // NVD: CVE-2017-6629

PROBLEMTYPE DATA

problemtype:

CWE-22

Trust: 1.9

sources: VULHUB: VHN-114832 // JVNDB: JVNDB-2017-003766 // NVD: CVE-2017-6629

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201705-202

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-201705-202

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-003766

PATCH

title:	cisco-sa-20170503-cuc	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170503-cuc	Trust: 0.8
title:	Cisco Unity Connection Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=69832	Trust: 0.6

sources: JVNDB: JVNDB-2017-003766 // CNNVD: CNNVD-201705-202

EXTERNAL IDS

db:	NVD	id:	CVE-2017-6629	Trust: 2.8
db:	BID	id:	98286	Trust: 1.4
db:	SECTRACK	id:	1038400	Trust: 1.1
db:	JVNDB	id:	JVNDB-2017-003766	Trust: 0.8
db:	CNNVD	id:	CNNVD-201705-202	Trust: 0.7
db:	NSFOCUS	id:	36608	Trust: 0.6
db:	VULHUB	id:	VHN-114832	Trust: 0.1

sources: VULHUB: VHN-114832 // BID: 98286 // JVNDB: JVNDB-2017-003766 // CNNVD: CNNVD-201705-202 // NVD: CVE-2017-6629

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170503-cuc	Trust: 2.0
url:	http://www.securityfocus.com/bid/98286	Trust: 1.1
url:	http://www.securitytracker.com/id/1038400	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-6629	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-6629	Trust: 0.8
url:	http://www.nsfocus.net/vulndb/36608	Trust: 0.6
url:	http://www.cisco.com/	Trust: 0.3

sources: VULHUB: VHN-114832 // BID: 98286 // JVNDB: JVNDB-2017-003766 // CNNVD: CNNVD-201705-202 // NVD: CVE-2017-6629

CREDITS

Cisco

Trust: 0.3

sources: BID: 98286

SOURCES

db:	VULHUB	id:	VHN-114832
db:	BID	id:	98286
db:	JVNDB	id:	JVNDB-2017-003766
db:	CNNVD	id:	CNNVD-201705-202
db:	NVD	id:	CVE-2017-6629

LAST UPDATE DATE

2024-11-23T22:26:45.853000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-114832	date:	2017-07-11T00:00:00
db:	BID	id:	98286	date:	2017-05-18T16:18:00
db:	JVNDB	id:	JVNDB-2017-003766	date:	2017-06-07T00:00:00
db:	CNNVD	id:	CNNVD-201705-202	date:	2017-05-04T00:00:00
db:	NVD	id:	CVE-2017-6629	date:	2024-11-21T03:30:10.017

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-114832	date:	2017-05-03T00:00:00
db:	BID	id:	98286	date:	2017-05-03T00:00:00
db:	JVNDB	id:	JVNDB-2017-003766	date:	2017-06-07T00:00:00
db:	CNNVD	id:	CNNVD-201705-202	date:	2017-05-04T00:00:00
db:	NVD	id:	CVE-2017-6629	date:	2017-05-03T21:59:00.323