CVE-2017-14706

Name of the Vulnerable Software and Affected Versions DenyAll WAF versions 5.5.0 through 5.5.12 DenyAll WAF version 5.6 DenyAll WAF version 5.7 DenyAll WAF versions 6.x before 6.4.1

Description The issue allows unauthenticated remote attackers to obtain authentication information by making a typeOf=debug request to "/webservices/download/index.php" and then reading the iToken field in the reply. This affects On Premises or AWS/Azure cloud deployments.

Recommendations For DenyAll WAF versions 5.5.0 through 5.5.12, update to version 6.4.1 or later. For DenyAll WAF version 5.6, update to version 6.4.1 or later. For DenyAll WAF version 5.7, update to version 6.4.1 or later. For DenyAll WAF versions 6.x before 6.4.1, update to version 6.4.1 or later. As a temporary workaround, consider restricting access to the "/webservices/download/index.php" endpoint until a patch is available.