Sign-up

ID

VAR-201702-0815


CVE

CVE-2017-3791


TITLE

Cisco Prime Home of Web Base of GUI Vulnerabilities that bypass authentication

Trust: 0.8

sources: JVNDB: JVNDB-2017-001400

DESCRIPTION

A vulnerability in the web-based GUI of Cisco Prime Home could allow an unauthenticated, remote attacker to bypass authentication and execute actions with administrator privileges. The vulnerability is due to a processing error in the role-based access control (RBAC) of URLs. An attacker could exploit this vulnerability by sending API commands via HTTP to a particular URL without prior authentication. An exploit could allow the attacker to perform any actions in Cisco Prime Home with administrator privileges. This vulnerability affects Cisco Prime Home versions from 6.3.0.0 to the first fixed release 6.5.0.1. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Cisco Bug IDs: CSCvb49837. This may lead to further attacks. The solution provides visibility into a unified view of connected devices in the home, reduces home network operating costs and improves user experience, among other features. web-based GUI is one of the web-based graphical user interface components

Trust: 2.07

sources: NVD: CVE-2017-3791 // JVNDB: JVNDB-2017-001400 // BID: 95933 // VULHUB: VHN-111994 // VULMON: CVE-2017-3791

AFFECTED PRODUCTS

vendor:ciscomodel:prime homescope:eqversion:6.3.0.0

Trust: 2.4

vendor:ciscomodel:prime homescope:eqversion:6.3.1.0

Trust: 2.4

vendor:ciscomodel:prime homescope:eqversion:6.4.0.0

Trust: 2.4

vendor:ciscomodel:prime homescope:eqversion:6.4.1.0

Trust: 2.4

vendor:ciscomodel:prime homescope:eqversion:6.4.2.0

Trust: 2.4

vendor:ciscomodel:prime homescope:eqversion:6.4.2.1

Trust: 2.4

vendor:ciscomodel:prime homescope:eqversion:6.5

Trust: 0.3

vendor:ciscomodel:prime homescope:eqversion:6.4

Trust: 0.3

vendor:ciscomodel:prime homescope:eqversion:6.3

Trust: 0.3

vendor:ciscomodel:prime homescope:neversion:6.5.0.1

Trust: 0.3

sources: BID: 95933 // JVNDB: JVNDB-2017-001400 // CNNVD: CNNVD-201702-067 // NVD: CVE-2017-3791

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-3791
value: CRITICAL

Trust: 1.0

NVD: CVE-2017-3791
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-201702-067
value: CRITICAL

Trust: 0.6

VULHUB: VHN-111994
value: HIGH

Trust: 0.1

VULMON: CVE-2017-3791
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2017-3791
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-111994
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-3791
baseSeverity: CRITICAL
baseScore: 10.0
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 6.0
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-111994 // VULMON: CVE-2017-3791 // JVNDB: JVNDB-2017-001400 // CNNVD: CNNVD-201702-067 // NVD: CVE-2017-3791

PROBLEMTYPE DATA

problemtype:CWE-287

Trust: 1.9

sources: VULHUB: VHN-111994 // JVNDB: JVNDB-2017-001400 // NVD: CVE-2017-3791

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201702-067

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201702-067

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-001400

PATCH
title:cisco-sa-20170201-prime-homeurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170201-prime-home
Trust: 0.8
title:Cisco Prime Home Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=67453
Trust: 0.6
title:The Registerurl:https://www.theregister.co.uk/2017/02/01/cisco_remote_access_hole_in_prime_home/
Trust: 0.2
sources:
            
            
            VULMON: CVE-2017-3791 // 
            
            
            
            JVNDB: JVNDB-2017-001400 // 
            
            
            
            CNNVD: CNNVD-201702-067

EXTERNAL IDS
db:NVDid:CVE-2017-3791
Trust: 2.9
db:BIDid:95933
Trust: 2.1
db:JVNDBid:JVNDB-2017-001400
Trust: 0.8
db:CNNVDid:CNNVD-201702-067
Trust: 0.7
db:VULHUBid:VHN-111994
Trust: 0.1
db:VULMONid:CVE-2017-3791
Trust: 0.1
sources:
            
            
            VULHUB: VHN-111994 // 
            
            
            
            VULMON: CVE-2017-3791 // 
            
            
            
            BID: 95933 // 
            
            
            
            JVNDB: JVNDB-2017-001400 // 
            
            
            
            CNNVD: CNNVD-201702-067 // 
            
            
            
            NVD: CVE-2017-3791

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170201-prime-home
Trust: 2.1
url:http://www.securityfocus.com/bid/95933
Trust: 1.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-3791
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2017-3791
Trust: 0.8
url:http://www.cisco.com/
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/287.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://www.theregister.co.uk/2017/02/01/cisco_remote_access_hole_in_prime_home/
Trust: 0.1
sources:
            
            
            VULHUB: VHN-111994 // 
            
            
            
            VULMON: CVE-2017-3791 // 
            
            
            
            BID: 95933 // 
            
            
            
            JVNDB: JVNDB-2017-001400 // 
            
            
            
            CNNVD: CNNVD-201702-067 // 
            
            
            
            NVD: CVE-2017-3791

CREDITS
Cisco
Trust: 0.3
sources:
            
            
            BID: 95933

SOURCES
db:VULHUBid:VHN-111994
db:VULMONid:CVE-2017-3791
db:BIDid:95933
db:JVNDBid:JVNDB-2017-001400
db:CNNVDid:CNNVD-201702-067
db:NVDid:CVE-2017-3791

LAST UPDATE DATE
2025-04-20T23:27:27.948000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-111994date:2019-10-09T00:00:00
db:VULMONid:CVE-2017-3791date:2019-10-09T00:00:00
db:BIDid:95933date:2017-02-02T00:09:00
db:JVNDBid:JVNDB-2017-001400date:2017-02-10T00:00:00
db:CNNVDid:CNNVD-201702-067date:2019-10-17T00:00:00
db:NVDid:CVE-2017-3791date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:VULHUBid:VHN-111994date:2017-02-01T00:00:00
db:VULMONid:CVE-2017-3791date:2017-02-01T00:00:00
db:BIDid:95933date:2017-02-01T00:00:00
db:JVNDBid:JVNDB-2017-001400date:2017-02-10T00:00:00
db:CNNVDid:CNNVD-201702-067date:2017-02-06T00:00:00
db:NVDid:CVE-2017-3791date:2017-02-01T19:59:00.220