Details of VAR-201702-0804

ID

VAR-201702-0804

CVE

CVE-2017-3837

TITLE

Cisco Meeting Server of Web Bridge Vulnerability in obtaining the contents of memory in the interface

Trust: 0.8

sources: JVNDB: JVNDB-2017-001632

DESCRIPTION

An HTTP Packet Processing vulnerability in the Web Bridge interface of the Cisco Meeting Server (CMS), formerly Acano Conferencing Server, could allow an authenticated, remote attacker to retrieve memory contents, which could lead to the disclosure of confidential information. In addition, the attacker could potentially cause the application to crash unexpectedly, resulting in a denial of service (DoS) condition. The attacker would need to be authenticated and have a valid session with the Web Bridge. Affected Products: This vulnerability affects Cisco Meeting Server software releases prior to 2.1.2. This product was previously known as Acano Conferencing Server. More Information: CSCvc89551. Known Affected Releases: 2.0 2.0.7 2.1. Known Fixed Releases: 2.1.2. (DoS) There is a possibility of being put into a state. This issue is being tracked by Cisco Bug ID CSCvc89551. There is a security vulnerability in the Web Bridge interface in versions prior to CMS 2.1.2. The vulnerability stems from the fact that the program does not fully authenticate HTTP requests

Trust: 1.98

sources: NVD: CVE-2017-3837 // JVNDB: JVNDB-2017-001632 // BID: 96243 // VULHUB: VHN-112040

AFFECTED PRODUCTS

vendor:	cisco	model:	meeting server	scope:	eq	version:	2.0.7	Trust: 2.7
vendor:	cisco	model:	meeting server	scope:	eq	version:	2.0.3	Trust: 1.9
vendor:	cisco	model:	meeting server	scope:	eq	version:	2.0.1	Trust: 1.9
vendor:	cisco	model:	meeting server	scope:	eq	version:	2.1.0	Trust: 1.6
vendor:	cisco	model:	meeting server	scope:	eq	version:	2.0.8	Trust: 1.6
vendor:	cisco	model:	meeting server	scope:	eq	version:	2.0.6	Trust: 1.6
vendor:	cisco	model:	meeting server	scope:	eq	version:	2.0.9	Trust: 1.6
vendor:	cisco	model:	meeting server	scope:	eq	version:	2.1.1	Trust: 1.6
vendor:	cisco	model:	meeting server	scope:	eq	version:	2.0.5	Trust: 1.6
vendor:	cisco	model:	meeting server	scope:	eq	version:	2.0.4	Trust: 1.6
vendor:	cisco	model:	meeting server	scope:	eq	version:	2.1	Trust: 1.1
vendor:	cisco	model:	meeting server	scope:	eq	version:	2.0.0	Trust: 1.0
vendor:	cisco	model:	meeting server	scope:	eq	version:	2.0	Trust: 0.8
vendor:	cisco	model:	meeting server	scope:	eq	version:	2.0.2	Trust: 0.3
vendor:	cisco	model:	meeting server	scope:	ne	version:	2.1.2	Trust: 0.3

sources: BID: 96243 // JVNDB: JVNDB-2017-001632 // NVD: CVE-2017-3837 // CNNVD: CNNVD-201702-664

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2017-3837
value:	HIGH
Trust: 1.8
CNNVD:	CNNVD-201702-664
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-112040
value:	MEDIUM
Trust: 0.1

NVD:
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	FALSE
obtainAllPrivilege:	FALSE
obtainUserPrivilege:	FALSE
obtainOtherPrivilege:	FALSE
userInteractionRequired:	FALSE
version:	2.0
Trust: 1.0
NVD:	CVE-2017-3837
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-112040
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

NVD:
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.2
version:	3.0
Trust: 1.0
NVD:	CVE-2017-3837
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-112040 // JVNDB: JVNDB-2017-001632 // NVD: CVE-2017-3837 // CNNVD: CNNVD-201702-664

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-112040 // JVNDB: JVNDB-2017-001632 // NVD: CVE-2017-3837

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201702-664

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201702-664

CONFIGURATIONS

sources: NVD: CVE-2017-3837

PATCH

title:	cisco-sa-20170215-cms1	url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170215-cms1	Trust: 0.8
title:	Cisco Meeting Server Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=68167	Trust: 0.6

sources: JVNDB: JVNDB-2017-001632 // CNNVD: CNNVD-201702-664

EXTERNAL IDS

db:	NVD	id:	CVE-2017-3837	Trust: 2.8
db:	BID	id:	96243	Trust: 2.0
db:	SECTRACK	id:	1037834	Trust: 1.1
db:	JVNDB	id:	JVNDB-2017-001632	Trust: 0.8
db:	CNNVD	id:	CNNVD-201702-664	Trust: 0.7
db:	VULHUB	id:	VHN-112040	Trust: 0.1

sources: VULHUB: VHN-112040 // BID: 96243 // JVNDB: JVNDB-2017-001632 // NVD: CVE-2017-3837 // CNNVD: CNNVD-201702-664

REFERENCES

url:	http://www.securityfocus.com/bid/96243	Trust: 1.7
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170215-cms1	Trust: 1.7
url:	http://www.securitytracker.com/id/1037834	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-3837	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2017-3837	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170215-cms	Trust: 0.3

sources: VULHUB: VHN-112040 // BID: 96243 // JVNDB: JVNDB-2017-001632 // NVD: CVE-2017-3837 // CNNVD: CNNVD-201702-664

CREDITS

Cisco

Trust: 0.9

sources: BID: 96243 // CNNVD: CNNVD-201702-664

SOURCES

db:	VULHUB	id:	VHN-112040
db:	BID	id:	96243
db:	JVNDB	id:	JVNDB-2017-001632
db:	NVD	id:	CVE-2017-3837
db:	CNNVD	id:	CNNVD-201702-664

LAST UPDATE DATE

2023-12-18T12:44:41.924000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-112040	date:	2017-07-25T00:00:00
db:	BID	id:	96243	date:	2017-03-07T03:03:00
db:	JVNDB	id:	JVNDB-2017-001632	date:	2017-03-10T00:00:00
db:	NVD	id:	CVE-2017-3837	date:	2017-07-25T01:29:09.187
db:	CNNVD	id:	CNNVD-201702-664	date:	2017-02-21T00:00:00

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-112040	date:	2017-02-22T00:00:00
db:	BID	id:	96243	date:	2017-02-15T00:00:00
db:	JVNDB	id:	JVNDB-2017-001632	date:	2017-03-10T00:00:00
db:	NVD	id:	CVE-2017-3837	date:	2017-02-22T02:59:00.450
db:	CNNVD	id:	CNNVD-201702-664	date:	2017-02-21T00:00:00