CVE-2017-12285

{"id": "CVE-2017-12285", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.4, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2017-10-19T08:29:00.467", "references": [{"url": "http://www.securityfocus.com/bid/101527", "tags": ["Third Party Advisory", "VDB Entry"], "source": "ykramarz@cisco.com"}, {"url": "http://www.securitytracker.com/id/1039623", "tags": ["Third Party Advisory", "VDB Entry"], "source": "ykramarz@cisco.com"}, {"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171018-nam", "tags": ["Vendor Advisory"], "source": "ykramarz@cisco.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-22"}]}, {"type": "Secondary", "source": "ykramarz@cisco.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the web interface of Cisco Network Analysis Module Software could allow an unauthenticated, remote attacker to delete arbitrary files from an affected system, aka Directory Traversal. The vulnerability exists because the affected software does not perform proper input validation of HTTP requests that it receives and the software does not apply role-based access controls (RBACs) to requested HTTP URLs. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected software. A successful exploit could allow the attacker to delete arbitrary files from the affected system. Cisco Bug IDs: CSCvf41365."}, {"lang": "es", "value": "Una vulnerabilidad en la interfaz web del software Cisco Network Analysis Module podr\u00eda permitir que un atacante remoto no autenticado elimine archivos arbitrarios de un sistema afectado. Esto tambi\u00e9n se conoce como salto de directorio. Esta vulnerabilidad existe porque el software afectado no realiza una correcta validaci\u00f3n de entradas de las peticiones HTTP que recibe y el software no aplica controles de acceso basados en roles (RBAC) a URL HTTP solicitadas. Un atacante podr\u00eda explotar esta vulnerabilidad mediante el env\u00edo de una petici\u00f3n HTTP manipulada al software afectado. Un exploit con \u00e9xito podr\u00eda permitir que el atacante elimine archivos arbitrarios del sistema afectado. Cisco Bug IDs: CSCvf41365."}], "lastModified": "2019-10-09T23:22:50.527", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cisco:prime_network_analysis_module:6.2\\(1b\\):*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "74E8BA60-1368-4199-8068-43BCEAAA4CF2"}], "operator": "OR"}]}], "sourceIdentifier": "ykramarz@cisco.com"}