CVE-2017-15655

{"id": "CVE-2017-15655", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 9.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.8}]}, "published": "2018-01-31T20:29:00.350", "references": [{"url": "http://packetstormsecurity.com/files/145921/ASUSWRT-3.0.0.4.382.18495-Session-Hijacking-Information-Disclosure.html", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}, {"url": "http://seclists.org/fulldisclosure/2018/Jan/63", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "http://sploit.tech/2018/01/16/ASUS-part-I.html", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-119"}]}], "descriptions": [{"lang": "en", "value": "Multiple buffer overflow vulnerabilities exist in the HTTPd server in Asus asuswrt version <=3.0.0.4.376.X. All have been fixed in version 3.0.0.4.378, but this vulnerability was not previously disclosed. Some end-of-life routers have this version as the newest and thus are vulnerable at this time. This vulnerability allows for RCE with administrator rights when the administrator visits several pages."}, {"lang": "es", "value": "Existen m\u00faltiples vulnerabilidades de desbordamiento de b\u00fafer en el servidor HTTPd en Asus asuswrt en versiones iguales o anteriores a la 3.0.0.4.376.X. Todas se han solucionado en la versi\u00f3n 3.0.0.4.378, pero esta vulnerabilidad no hab\u00eda sido revelada anteriormente. Algunos routers que est\u00e1n en el final de su vida \u00fatil tienen esta versi\u00f3n como la m\u00e1s nueva y, por lo tanto, son vulnerables. Esta vulnerabilidad permite un RCE con privilegios de administrador cuando el administrador visita varias p\u00e1ginas."}], "lastModified": "2018-02-21T15:45:01.707", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:asus:asuswrt:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "94706BE6-DD37-4F86-8154-5809CE4913A0", "versionEndExcluding": "3.0.0.4.378"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}