PT-2017-14491 · Netgain · Netgain Enterprise Manager

Jacob Baines

Published

2017-12-13

Updated

2019-10-09

CVE-2017-16607

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Netgain Enterprise Manager (affected versions not specified)

Description This issue allows remote attackers to disclose sensitive information on vulnerable installations. Authentication is not required to exploit this. The specific flaw exists within the heapdumps.jsp page. The issue results from the lack of proper validation of a user-supplied string before using it to download heap memory dump. An attacker can leverage this in conjunction with other issues to disclose sensitive information in the context of the current process.

Recommendations At the moment, there is no information about a newer version that contains a fix for this issue.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2017-16607

ZDI-17-949

Affected Products

Netgain Enterprise Manager

PT-2017-14491 · Netgain · Netgain Enterprise Manager

CVE-2017-16607

Weakness Enumeration

Related Identifiers

Affected Products

References · 5