PT-2017-3098 · Tenable · Tenable Appliance

Agix

Publicado

2017-04-18

Atualizado

2019-10-03

CVE-2017-8051

CVSS v3.1

Crítica

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Tenable Appliance versions 3.5 through 4.4.0 Tenable Appliance versions prior to 3.5

Description The issue is related to a flaw in the simpleupload.py script in the Web UI, which allows a remote attacker to inject arbitrary commands by manipulating the tns appliance session user parameter. This can enable the attacker to execute commands remotely.

Recommendations For Tenable Appliance versions 3.5 through 4.4.0, consider disabling the simpleupload.py script in the Web UI until a patch is available. For Tenable Appliance versions prior to 3.5, restrict access to the Web UI to minimize the risk of exploitation. As a temporary workaround, avoid using the tns appliance session user parameter in the affected API endpoint until the issue is resolved.

Exploit

Correção

OS Command Injection

Command Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-78CWE-77

Identificadores relacionados

BDU:2017-02478

CVE-2017-8051

Produtos afetados

Tenable Appliance

PT-2017-3098 · Tenable · Tenable Appliance

CVE-2017-8051

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 6