Details of VAR-201711-0311

ID

VAR-201711-0311

CVE

CVE-2017-12309

TITLE

Cisco E Email Security On the appliance HTTP Response splitting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-010470

DESCRIPTION

A vulnerability in the Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to conduct a HTTP response splitting attack. The vulnerability is due to the failure of the application or its environment to properly sanitize input values. An attacker could exploit this vulnerability by injecting malicious HTTP headers, controlling the response body, or splitting the response into multiple responses. An exploit could allow the attacker to perform cross-site scripting attacks, cross-user defacement, web cache poisoning, and similar exploits. Cisco Bug IDs: CSCvf16705. Vendors have confirmed this vulnerability Bug ID CSCvf16705 It is released as.Information may be tampered with. Attackers can leverage this issue to influence or misrepresent how web content is served, cached, or interpreted. This could aid in various attacks that try to entice client users into having a false sense of trust. The appliance offers spam protection, email encryption, data loss prevention, and more

Trust: 1.98

sources: NVD: CVE-2017-12309 // JVNDB: JVNDB-2017-010470 // BID: 101928 // VULHUB: VHN-102818

AFFECTED PRODUCTS

vendor:	cisco	model:	email security appliance	scope:	eq	version:	11.0.0-105	Trust: 1.9
vendor:	cisco	model:	email security appliance	scope:	eq	version:	10.0.2-020	Trust: 1.9
vendor:	cisco	model:	e email security the appliance	scope:	-	version:	-	Trust: 0.8

sources: BID: 101928 // JVNDB: JVNDB-2017-010470 // CNNVD: CNNVD-201711-672 // NVD: CVE-2017-12309

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-12309
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-12309
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201711-672
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-102818
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-12309
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-102818
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-12309
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-102818 // JVNDB: JVNDB-2017-010470 // CNNVD: CNNVD-201711-672 // NVD: CVE-2017-12309

PROBLEMTYPE DATA

problemtype:

CWE-113

Trust: 1.9

sources: VULHUB: VHN-102818 // JVNDB: JVNDB-2017-010470 // NVD: CVE-2017-12309

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201711-672

TYPE

injection

Trust: 0.6

sources: CNNVD: CNNVD-201711-672

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-010470

PATCH

title:	cisco-sa-20171115-esa	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171115-esa	Trust: 0.8
title:	Cisco Email Security Appliance Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=76497	Trust: 0.6

sources: JVNDB: JVNDB-2017-010470 // CNNVD: CNNVD-201711-672

EXTERNAL IDS

db:	NVD	id:	CVE-2017-12309	Trust: 2.8
db:	BID	id:	101928	Trust: 2.0
db:	SECTRACK	id:	1039831	Trust: 1.7
db:	JVNDB	id:	JVNDB-2017-010470	Trust: 0.8
db:	CNNVD	id:	CNNVD-201711-672	Trust: 0.7
db:	VULHUB	id:	VHN-102818	Trust: 0.1

sources: VULHUB: VHN-102818 // BID: 101928 // JVNDB: JVNDB-2017-010470 // CNNVD: CNNVD-201711-672 // NVD: CVE-2017-12309

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20171115-esa	Trust: 2.0
url:	http://www.securityfocus.com/bid/101928	Trust: 1.7
url:	http://www.securitytracker.com/id/1039831	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-12309	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-12309	Trust: 0.8
url:	http://www.cisco.com/c/en/us/products/security/email-security-appliance/index.html	Trust: 0.3

sources: VULHUB: VHN-102818 // BID: 101928 // JVNDB: JVNDB-2017-010470 // CNNVD: CNNVD-201711-672 // NVD: CVE-2017-12309

CREDITS

Cisco

Trust: 0.3

sources: BID: 101928

SOURCES

db:	VULHUB	id:	VHN-102818
db:	BID	id:	101928
db:	JVNDB	id:	JVNDB-2017-010470
db:	CNNVD	id:	CNNVD-201711-672
db:	NVD	id:	CVE-2017-12309

LAST UPDATE DATE

2024-11-23T22:00:49.396000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-102818	date:	2019-10-09T00:00:00
db:	BID	id:	101928	date:	2017-12-19T22:00:00
db:	JVNDB	id:	JVNDB-2017-010470	date:	2017-12-15T00:00:00
db:	CNNVD	id:	CNNVD-201711-672	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2017-12309	date:	2024-11-21T03:09:16.990

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-102818	date:	2017-11-16T00:00:00
db:	BID	id:	101928	date:	2017-11-15T00:00:00
db:	JVNDB	id:	JVNDB-2017-010470	date:	2017-12-15T00:00:00
db:	CNNVD	id:	CNNVD-201711-672	date:	2017-11-20T00:00:00
db:	NVD	id:	CVE-2017-12309	date:	2017-11-16T07:29:00.570