PT-2017-16142 · Cisco · Cisco Workload Automation Client Manager Server+1

Publicado

2017-03-15

Atualizado

2017-07-12

CVE-2017-3846

CVSS v3.1

8.6

Alta

Vetor

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Cisco Workload Automation Client Manager Server versions 6.3.0.116 and later Cisco Tidal Enterprise Scheduler Client Manager Server versions 6.2.1.435 and later

Description The issue is caused by insufficient input validation, allowing an unauthenticated, remote attacker to retrieve any file from the Client Manager Server by sending a crafted URL. This could enable the attacker to access sensitive information.

Recommendations For Cisco Workload Automation Client Manager Server versions 6.3.0.116 and later, update to a version that includes the fix for this issue. For Cisco Tidal Enterprise Scheduler Client Manager Server versions 6.2.1.435 and later, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the Client Manager Server to minimize the risk of exploitation.

Correção

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-20

Identificadores relacionados

CVE-2017-3846

Produtos afetados

Cisco Tidal Enterprise Scheduler Client Manager Server

Cisco Workload Automation Client Manager Server

PT-2017-16142 · Cisco · Cisco Workload Automation Client Manager Server+1

CVE-2017-3846

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 5