Details of VAR-201708-1348

ID

VAR-201708-1348

CVE

CVE-2017-6758

TITLE

Cisco Unified Communications Manager Path traversal vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-006838

DESCRIPTION

A vulnerability in the web framework of Cisco Unified Communications Manager 11.5(1.10000.6) could allow an authenticated, remote attacker to access arbitrary files in the context of the web root directory structure on an affected device. The vulnerability is due to insufficient input validation by the affected software. An attacker could exploit this vulnerability by using directory traversal techniques to read files in the web root directory structure on the Cisco Unified Communications Manager filesystem. Cisco Bug IDs: CSCve13796. Vendors have confirmed this vulnerability Bug ID CSCve13796 It is released as.Information may be obtained. Remote attackers may use a specially crafted request with directory-traversal sequences ('../') to retrieve sensitive information. This may aid in further attacks. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution

Trust: 1.98

sources: NVD: CVE-2017-6758 // JVNDB: JVNDB-2017-006838 // BID: 100119 // VULHUB: VHN-114961

AFFECTED PRODUCTS

vendor:	cisco	model:	unified communications manager	scope:	eq	version:	11.5\(1.10000.6\)	Trust: 1.6
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	11.5(1.10000.6)	Trust: 1.1
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	0	Trust: 0.3

sources: BID: 100119 // JVNDB: JVNDB-2017-006838 // CNNVD: CNNVD-201708-161 // NVD: CVE-2017-6758

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-6758
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-6758
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201708-161
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-114961
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-6758
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:L/AU:S/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-114961
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:L/AU:S/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-6758
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-114961 // JVNDB: JVNDB-2017-006838 // CNNVD: CNNVD-201708-161 // NVD: CVE-2017-6758

PROBLEMTYPE DATA

problemtype:

CWE-22

Trust: 1.9

sources: VULHUB: VHN-114961 // JVNDB: JVNDB-2017-006838 // NVD: CVE-2017-6758

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201708-161

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-201708-161

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-006838

PATCH

title:	CSCve13796 - Cisco Unified Communications Manager Directory Traversal Vulnerability	url:	https://quickview.cloudapps.cisco.com/quickview/bug/CSCve13796	Trust: 0.8
title:	cisco-sa-20170802-ucm1	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170802-ucm1	Trust: 0.8
title:	Cisco Unified Communications Manager Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=72394	Trust: 0.6

sources: JVNDB: JVNDB-2017-006838 // CNNVD: CNNVD-201708-161

EXTERNAL IDS

db:	NVD	id:	CVE-2017-6758	Trust: 2.8
db:	BID	id:	100119	Trust: 2.0
db:	SECTRACK	id:	1039064	Trust: 1.7
db:	JVNDB	id:	JVNDB-2017-006838	Trust: 0.8
db:	CNNVD	id:	CNNVD-201708-161	Trust: 0.7
db:	VULHUB	id:	VHN-114961	Trust: 0.1

sources: VULHUB: VHN-114961 // BID: 100119 // JVNDB: JVNDB-2017-006838 // CNNVD: CNNVD-201708-161 // NVD: CVE-2017-6758

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170802-ucm1	Trust: 2.0
url:	http://www.securityfocus.com/bid/100119	Trust: 1.7
url:	https://quickview.cloudapps.cisco.com/quickview/bug/cscve13796	Trust: 1.7
url:	http://www.securitytracker.com/id/1039064	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-6758	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-6758	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3

sources: VULHUB: VHN-114961 // BID: 100119 // JVNDB: JVNDB-2017-006838 // CNNVD: CNNVD-201708-161 // NVD: CVE-2017-6758

CREDITS

Cisco

Trust: 0.3

sources: BID: 100119

SOURCES

db:	VULHUB	id:	VHN-114961
db:	BID	id:	100119
db:	JVNDB	id:	JVNDB-2017-006838
db:	CNNVD	id:	CNNVD-201708-161
db:	NVD	id:	CVE-2017-6758

LAST UPDATE DATE

2024-11-23T21:53:49.188000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-114961	date:	2019-10-09T00:00:00
db:	BID	id:	100119	date:	2017-08-02T00:00:00
db:	JVNDB	id:	JVNDB-2017-006838	date:	2017-09-05T00:00:00
db:	CNNVD	id:	CNNVD-201708-161	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2017-6758	date:	2024-11-21T03:30:27.733

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-114961	date:	2017-08-07T00:00:00
db:	BID	id:	100119	date:	2017-08-02T00:00:00
db:	JVNDB	id:	JVNDB-2017-006838	date:	2017-09-05T00:00:00
db:	CNNVD	id:	CNNVD-201708-161	date:	2017-08-09T00:00:00
db:	NVD	id:	CVE-2017-6758	date:	2017-08-07T06:29:00.510