Details of VAR-201703-0715

ID

VAR-201703-0715

CVE

CVE-2017-3846

TITLE

Cisco Workload Automation and Tidal Enterprise Scheduler Vulnerable to incorrect input validation

Trust: 0.8

sources: JVNDB: JVNDB-2017-002512

DESCRIPTION

A vulnerability in the Client Manager Server of Cisco Workload Automation and Cisco Tidal Enterprise Scheduler could allow an unauthenticated, remote attacker to retrieve any file from the Client Manager Server. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending a crafted URL to the Client Manager Server. An exploit could allow the attacker to retrieve any file from the Cisco Workload Automation or Cisco Tidal Enterprise Scheduler Client Manager Server. This vulnerability affects the following products: Cisco Tidal Enterprise Scheduler Client Manager Server releases 6.2.1.435 and later, Cisco Workload Automation Client Manager Server releases 6.3.0.116 and later. Cisco Bug IDs: CSCvc90789. Vendors have confirmed this vulnerability Bug ID CSCvc90789 It is released as.Information may be obtained. Multiple Cisco Products are prone to a security vulnerability that allows remote attackers to read arbitrary files. Successful exploits may allow an attacker to read arbitrary files in the context of the user running the affected application. This may aid in further attacks. TES a set of work automation solutions. The solution simplifies the way enterprise-wide job scheduling and automated business processes are defined, managed and delivered. CWA is a suite of software for optimizing data center workload management. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170315-tes ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170315-tes"] -----BEGIN PGP SIGNATURE----- iQKBBAEBAgBrBQJYyWWrZBxDaXNjbyBTeXN0ZW1zIFByb2R1Y3QgU2VjdXJpdHkg SW5jaWRlbnQgUmVzcG9uc2UgVGVhbSAoQ2lzY28gUFNJUlQga2V5IDIwMTYtMjAx NykgPHBzaXJ0QGNpc2NvLmNvbT4ACgkQrz2APcQAkHlc+Q/+NaDFV8ZqaPeGvBEm 46PrfX/+OeR2y869YrW7TzIayWy7WWGVZTZC/01NQUnS+YZUpqzHaMNpNjgNrudL S6hP4VrFEYWdSMYcqNw4k/S9ZSQPilJdyZ+0Z8CgJR9R0NtaC5m6MUbdqfmdA7+0 JrsHWiyWJV6t4WdxdPf6qOeLHO4lKhpkSIMhwQdhKzF7S9P8qzsKJZAfApArzrsb JpvUMA17gGBNCiEKIBYohxJ8BKKwdFOQb8W5Oh+rnRxktRHd+zsEtHPPg0QYZe49 XO4usDU9PPZCeA5Z25bBucNgIG96yTt4xM6TfZKeG9cqPAM8HbsWrk/coXM2Z5Ts NKPpvE3snKwPdCADb12IF25FCiPCVyZiVhyb76n0ViiGTTu7MxjFJJ7mR5Sp3D1M vOS8Ha21SdW0Phlf3w8S8J73gw7aqd4jU2hghAHkBOqzxvyrjYSsbKbENt0zv9p7 t1F0HwKV8hY+gUiK49+fqaH+Sq8MFVJAdX1LVqa/cyqwZzGO1i5uVHDp6PQ94ZBC XLhTgZnx/kTg6uJshmpd9scKaRB0IvSzPYiWm+C66ss9dIgLJwj8PfXnt5pwnMzb J0aJydejldPn896Y4GG4tBJd+mD4uNImqsLH4iRnB4RXnjOH6sEaf9REammL5C+j weZFM3KTJLnOjdAs2rMOaCfp60s= =HobL -----END PGP SIGNATURE-----

Trust: 2.07

sources: NVD: CVE-2017-3846 // JVNDB: JVNDB-2017-002512 // BID: 96910 // VULHUB: VHN-112049 // PACKETSTORM: 141663

AFFECTED PRODUCTS

vendor:	cisco	model:	tidal enterprise scheduler	scope:	eq	version:	6.2.1.435	Trust: 1.9
vendor:	cisco	model:	tidal enterprise scheduler	scope:	eq	version:	6.3.0	Trust: 1.6
vendor:	cisco	model:	tidal enterprise scheduler	scope:	eq	version:	6.2.1.510	Trust: 1.6
vendor:	cisco	model:	tidal enterprise scheduler	scope:	eq	version:	6.3.0.116	Trust: 1.6
vendor:	cisco	model:	tidal enterprise scheduler	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	workload automation	scope:	eq	version:	6.3.0.116	Trust: 0.3

sources: BID: 96910 // JVNDB: JVNDB-2017-002512 // CNNVD: CNNVD-201703-636 // NVD: CVE-2017-3846

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-3846
value:	HIGH
Trust: 1.0
NVD:	CVE-2017-3846
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201703-636
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-112049
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-3846
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-112049
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-3846
baseSeverity:	HIGH
baseScore:	8.6
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	4.0
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-112049 // JVNDB: JVNDB-2017-002512 // CNNVD: CNNVD-201703-636 // NVD: CVE-2017-3846

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-112049 // JVNDB: JVNDB-2017-002512 // NVD: CVE-2017-3846

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 141663 // CNNVD: CNNVD-201703-636

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201703-636

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-002512

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-112049

PATCH

title:	cisco-sa-20170315-tes	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170315-tes	Trust: 0.8
title:	Cisco Tidal Enterprise Scheduler and Workload Automation Enter the fix for the verification vulnerability	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=68497	Trust: 0.6

sources: JVNDB: JVNDB-2017-002512 // CNNVD: CNNVD-201703-636

EXTERNAL IDS

db:	NVD	id:	CVE-2017-3846	Trust: 2.9
db:	BID	id:	96910	Trust: 1.4
db:	SECTRACK	id:	1038044	Trust: 1.1
db:	JVNDB	id:	JVNDB-2017-002512	Trust: 0.8
db:	CNNVD	id:	CNNVD-201703-636	Trust: 0.7
db:	PACKETSTORM	id:	141663	Trust: 0.2
db:	VULHUB	id:	VHN-112049	Trust: 0.1

sources: VULHUB: VHN-112049 // BID: 96910 // JVNDB: JVNDB-2017-002512 // PACKETSTORM: 141663 // CNNVD: CNNVD-201703-636 // NVD: CVE-2017-3846

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170315-tes	Trust: 2.1
url:	http://www.securityfocus.com/bid/96910	Trust: 1.1
url:	http://www.securitytracker.com/id/1038044	Trust: 1.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-3846	Trust: 0.9
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-3846	Trust: 0.8
url:	http://www.cisco.com	Trust: 0.3
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170315-tes"]	Trust: 0.1

sources: VULHUB: VHN-112049 // BID: 96910 // JVNDB: JVNDB-2017-002512 // PACKETSTORM: 141663 // CNNVD: CNNVD-201703-636 // NVD: CVE-2017-3846

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 96910

SOURCES

db:	VULHUB	id:	VHN-112049
db:	BID	id:	96910
db:	JVNDB	id:	JVNDB-2017-002512
db:	PACKETSTORM	id:	141663
db:	CNNVD	id:	CNNVD-201703-636
db:	NVD	id:	CVE-2017-3846

LAST UPDATE DATE

2025-04-20T23:37:58.389000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-112049	date:	2017-07-12T00:00:00
db:	BID	id:	96910	date:	2017-03-16T00:03:00
db:	JVNDB	id:	JVNDB-2017-002512	date:	2017-04-18T00:00:00
db:	CNNVD	id:	CNNVD-201703-636	date:	2017-03-28T00:00:00
db:	NVD	id:	CVE-2017-3846	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-112049	date:	2017-03-15T00:00:00
db:	BID	id:	96910	date:	2017-03-15T00:00:00
db:	JVNDB	id:	JVNDB-2017-002512	date:	2017-04-18T00:00:00
db:	PACKETSTORM	id:	141663	date:	2017-03-16T00:10:59
db:	CNNVD	id:	CNNVD-201703-636	date:	2017-03-28T00:00:00
db:	NVD	id:	CVE-2017-3846	date:	2017-03-15T20:59:00.227