Details of VAR-201707-0961

ID

VAR-201707-0961

CVE

CVE-2017-6746

TITLE

Cisco Web Security Appliance Input validation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-006766

DESCRIPTION

A vulnerability in the web interface of the Cisco Web Security Appliance (WSA) could allow an authenticated, remote attacker to perform command injection and elevate privileges to root. The attacker must authenticate with valid administrator credentials. Affected Products: Cisco AsyncOS Software 10.0 and later for WSA on both virtual and hardware appliances. More Information: CSCvd88862. Known Affected Releases: 10.1.0-204. Known Fixed Releases: 10.5.1-270 10.1.1-235. Vendors have confirmed this vulnerability Bug ID CSCvd88862 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The Cisco AsyncOS operating system is designed to enhance the security and performance of Cisco Email Security appliances. This may aid in further attacks. This issue is being tracked by Cisco bug ID CSCvd88862. The appliance provides SaaS-based access control, real-time network reporting and tracking, and security policy formulation. AsyncOS Software is an operating system used in it. The following releases are affected: Cisco AsyncOS Software Release 11.0, Release 10.5, Release 10.1.0-204, Release 10.1, Release 10.0

Trust: 2.52

sources: NVD: CVE-2017-6746 // JVNDB: JVNDB-2017-006766 // CNVD: CNVD-2017-18232 // BID: 99877 // VULHUB: VHN-114949

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2017-18232

AFFECTED PRODUCTS

vendor:	cisco	model:	web security appliance	scope:	eq	version:	11.0.0-613	Trust: 1.6
vendor:	cisco	model:	web security appliance	scope:	eq	version:	10.0_base	Trust: 1.6
vendor:	cisco	model:	web security appliance	scope:	eq	version:	10.1.0-204	Trust: 1.6
vendor:	cisco	model:	web security appliance	scope:	eq	version:	10.1.1-234	Trust: 1.6
vendor:	cisco	model:	web security appliance	scope:	eq	version:	10.0.0-233	Trust: 1.6
vendor:	cisco	model:	web security appliance	scope:	eq	version:	10.1.0	Trust: 1.6
vendor:	cisco	model:	web security appliance	scope:	eq	version:	10.1.1-230	Trust: 1.6
vendor:	cisco	model:	web security appliance	scope:	eq	version:	10.5.0	Trust: 1.6
vendor:	cisco	model:	web security appliance	scope:	eq	version:	11.0.0-641	Trust: 1.6
vendor:	cisco	model:	web security appliance	scope:	eq	version:	10.5.0-358	Trust: 1.6
vendor:	cisco	model:	web security appliance	scope:	eq	version:	11.0.0	Trust: 1.0
vendor:	cisco	model:	web security the appliance	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	web security appliance	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	web security appliance	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	asyncos software	scope:	eq	version:	11.0	Trust: 0.3
vendor:	cisco	model:	asyncos software	scope:	eq	version:	10.5	Trust: 0.3
vendor:	cisco	model:	asyncos software	scope:	eq	version:	10.1.0-204	Trust: 0.3
vendor:	cisco	model:	asyncos software	scope:	eq	version:	10.1	Trust: 0.3
vendor:	cisco	model:	asyncos software	scope:	eq	version:	10.0	Trust: 0.3
vendor:	cisco	model:	asyncos software	scope:	ne	version:	10.5.1-270	Trust: 0.3
vendor:	cisco	model:	asyncos software	scope:	ne	version:	10.1.1-235	Trust: 0.3

sources: CNVD: CNVD-2017-18232 // BID: 99877 // JVNDB: JVNDB-2017-006766 // CNNVD: CNNVD-201707-1174 // NVD: CVE-2017-6746

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-6746
value:	HIGH
Trust: 1.0
NVD:	CVE-2017-6746
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2017-18232
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201707-1174
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-114949
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2017-6746
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-18232
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-114949
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-6746
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2017-18232 // VULHUB: VHN-114949 // JVNDB: JVNDB-2017-006766 // CNNVD: CNNVD-201707-1174 // NVD: CVE-2017-6746

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-114949 // JVNDB: JVNDB-2017-006766 // NVD: CVE-2017-6746

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201707-1174

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201707-1174

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-006766

PATCH

title:	cisco-sa-20170719-wsa1	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170719-wsa1	Trust: 0.8
title:	CiscoAsyncOSSoftware Command Injection Vulnerability Patch	url:	https://www.cnvd.org.cn/patchInfo/show/99405	Trust: 0.6
title:	Cisco Web Security Appliance AsyncOS Software Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=72019	Trust: 0.6

sources: CNVD: CNVD-2017-18232 // JVNDB: JVNDB-2017-006766 // CNNVD: CNNVD-201707-1174

EXTERNAL IDS

db:	NVD	id:	CVE-2017-6746	Trust: 3.4
db:	BID	id:	99877	Trust: 2.6
db:	SECTRACK	id:	1038948	Trust: 1.1
db:	JVNDB	id:	JVNDB-2017-006766	Trust: 0.8
db:	CNNVD	id:	CNNVD-201707-1174	Trust: 0.7
db:	CNVD	id:	CNVD-2017-18232	Trust: 0.6
db:	NSFOCUS	id:	37190	Trust: 0.6
db:	VULHUB	id:	VHN-114949	Trust: 0.1

sources: CNVD: CNVD-2017-18232 // VULHUB: VHN-114949 // BID: 99877 // JVNDB: JVNDB-2017-006766 // CNNVD: CNNVD-201707-1174 // NVD: CVE-2017-6746

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170719-wsa1	Trust: 2.6
url:	http://www.securityfocus.com/bid/99877	Trust: 1.7
url:	http://www.securitytracker.com/id/1038948	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-6746	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-6746	Trust: 0.8
url:	http://www.nsfocus.net/vulndb/37190	Trust: 0.6
url:	http://www.cisco.com/	Trust: 0.3

sources: CNVD: CNVD-2017-18232 // VULHUB: VHN-114949 // BID: 99877 // JVNDB: JVNDB-2017-006766 // CNNVD: CNNVD-201707-1174 // NVD: CVE-2017-6746

CREDITS

Daniel Jensen from Security-Assessment.com

Trust: 0.9

sources: BID: 99877 // CNNVD: CNNVD-201707-1174

SOURCES

db:	CNVD	id:	CNVD-2017-18232
db:	VULHUB	id:	VHN-114949
db:	BID	id:	99877
db:	JVNDB	id:	JVNDB-2017-006766
db:	CNNVD	id:	CNNVD-201707-1174
db:	NVD	id:	CVE-2017-6746

LAST UPDATE DATE

2024-11-23T21:40:50.236000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-18232	date:	2017-08-02T00:00:00
db:	VULHUB	id:	VHN-114949	date:	2017-08-08T00:00:00
db:	BID	id:	99877	date:	2017-07-19T00:00:00
db:	JVNDB	id:	JVNDB-2017-006766	date:	2017-09-04T00:00:00
db:	CNNVD	id:	CNNVD-201707-1174	date:	2017-07-27T00:00:00
db:	NVD	id:	CVE-2017-6746	date:	2024-11-21T03:30:26.230

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2017-18232	date:	2017-08-02T00:00:00
db:	VULHUB	id:	VHN-114949	date:	2017-07-25T00:00:00
db:	BID	id:	99877	date:	2017-07-19T00:00:00
db:	JVNDB	id:	JVNDB-2017-006766	date:	2017-09-04T00:00:00
db:	CNNVD	id:	CNNVD-201707-1174	date:	2017-07-27T00:00:00
db:	NVD	id:	CVE-2017-6746	date:	2017-07-25T19:29:00.240