PT-2017-3098 · Tenable · Tenable Appliance

Agix

Published

2017-04-18

Updated

2019-10-03

CVE-2017-8051

CVSS v3.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Tenable Appliance versions 3.5 through 4.4.0 Tenable Appliance versions prior to 3.5

Description The issue is related to a flaw in the simpleupload.py script in the Web UI, which allows a remote attacker to inject arbitrary commands by manipulating the tns appliance session user parameter. This can enable the attacker to execute commands remotely.

Recommendations For Tenable Appliance versions 3.5 through 4.4.0, consider disabling the simpleupload.py script in the Web UI until a patch is available. For Tenable Appliance versions prior to 3.5, restrict access to the Web UI to minimize the risk of exploitation. As a temporary workaround, avoid using the tns appliance session user parameter in the affected API endpoint until the issue is resolved.

Exploit

Fix

OS Command Injection

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78CWE-77

Related Identifiers

BDU:2017-02478

CVE-2017-8051

Affected Products

Tenable Appliance

PT-2017-3098 · Tenable · Tenable Appliance

CVE-2017-8051

Weakness Enumeration

Related Identifiers

Affected Products

References · 6