PT-2017-16142 · Cisco · Cisco Workload Automation Client Manager Server+1
Published
2017-03-15
·
Updated
2017-07-12
·
CVE-2017-3846
CVSS v3.1
8.6
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Cisco Workload Automation Client Manager Server versions 6.3.0.116 and later
Cisco Tidal Enterprise Scheduler Client Manager Server versions 6.2.1.435 and later
Description
The issue is caused by insufficient input validation, allowing an unauthenticated, remote attacker to retrieve any file from the Client Manager Server by sending a crafted URL. This could enable the attacker to access sensitive information.
Recommendations
For Cisco Workload Automation Client Manager Server versions 6.3.0.116 and later, update to a version that includes the fix for this issue.
For Cisco Tidal Enterprise Scheduler Client Manager Server versions 6.2.1.435 and later, update to a version that includes the fix for this issue.
As a temporary workaround, consider restricting access to the Client Manager Server to minimize the risk of exploitation.
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cisco Tidal Enterprise Scheduler Client Manager Server
Cisco Workload Automation Client Manager Server