Details of VAR-201704-1542

ID

VAR-201704-1542

CVE

CVE-2017-7457

TITLE

Moxa MX AOPC-Server XML External entity injection vulnerability

Trust: 0.8

sources: IVD: 5cbd2f0e-ae32-45c5-b0c2-bc76afecdeb8 // CNVD: CNVD-2017-05520

DESCRIPTION

XML External Entity via ".AOP" files used by Moxa MX-AOPC Server 1.5 result in remote file disclosure. The Moxa MX-AOPC UA kit is an OPC UA server for industrial automation that supports push-pull communication. Allows local users to open specially crafted malicious MX-AOPC server file types. MX-AOPC UA SERVER is a set of automated software solutions from Moxa to help users realize seamless SCADA equipment data management

Trust: 2.52

sources: NVD: CVE-2017-7457 // JVNDB: JVNDB-2017-003172 // CNVD: CNVD-2017-05520 // IVD: 5cbd2f0e-ae32-45c5-b0c2-bc76afecdeb8 // VULHUB: VHN-115660 // VULMON: CVE-2017-7457

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 5cbd2f0e-ae32-45c5-b0c2-bc76afecdeb8 // CNVD: CNVD-2017-05520

AFFECTED PRODUCTS

vendor:	moxa	model:	mx-aopc server	scope:	eq	version:	1.5	Trust: 2.4
vendor:	moxa	model:	mx-aopc ua server	scope:	eq	version:	1.5	Trust: 0.6
vendor:	mx aopc server	model:	-	scope:	eq	version:	1.5	Trust: 0.2

sources: IVD: 5cbd2f0e-ae32-45c5-b0c2-bc76afecdeb8 // CNVD: CNVD-2017-05520 // JVNDB: JVNDB-2017-003172 // CNNVD: CNNVD-201704-830 // NVD: CVE-2017-7457

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-7457
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-7457
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2017-05520
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-201704-830
value:	LOW
Trust: 0.6
IVD:	5cbd2f0e-ae32-45c5-b0c2-bc76afecdeb8
value:	LOW
Trust: 0.2
VULHUB:	VHN-115660
value:	LOW
Trust: 0.1
VULMON:	CVE-2017-7457
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2017-7457
severity:	LOW
baseScore:	1.9
vectorString:	AV:L/AC:M/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.4
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2017-05520
severity:	LOW
baseScore:	1.9
vectorString:	AV:L/AC:M/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.4
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	5cbd2f0e-ae32-45c5-b0c2-bc76afecdeb8
severity:	LOW
baseScore:	1.9
vectorString:	AV:L/AC:M/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.4
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-115660
severity:	LOW
baseScore:	1.9
vectorString:	AV:L/AC:M/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.4
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-7457
baseSeverity:	MEDIUM
baseScore:	5.0
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.3
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: IVD: 5cbd2f0e-ae32-45c5-b0c2-bc76afecdeb8 // CNVD: CNVD-2017-05520 // VULHUB: VHN-115660 // VULMON: CVE-2017-7457 // JVNDB: JVNDB-2017-003172 // CNNVD: CNNVD-201704-830 // NVD: CVE-2017-7457

PROBLEMTYPE DATA

problemtype:

CWE-611

Trust: 1.9

sources: VULHUB: VHN-115660 // JVNDB: JVNDB-2017-003172 // NVD: CVE-2017-7457

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201704-830

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201704-830

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-003172

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-115660 // VULMON: CVE-2017-7457

PATCH

title:	Top Page	url:	http://www.moxa.com/	Trust: 0.8
title:	MX-AOPC UA SERVER Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=69328	Trust: 0.6

sources: JVNDB: JVNDB-2017-003172 // CNNVD: CNNVD-201704-830

EXTERNAL IDS

db:	NVD	id:	CVE-2017-7457	Trust: 3.4
db:	EXPLOIT-DB	id:	41852	Trust: 1.2
db:	CNNVD	id:	CNNVD-201704-830	Trust: 0.9
db:	CNVD	id:	CNVD-2017-05520	Trust: 0.8
db:	JVNDB	id:	JVNDB-2017-003172	Trust: 0.8
db:	IVD	id:	5CBD2F0E-AE32-45C5-B0C2-BC76AFECDEB8	Trust: 0.2
db:	PACKETSTORM	id:	142076	Trust: 0.1
db:	VULHUB	id:	VHN-115660	Trust: 0.1
db:	VULMON	id:	CVE-2017-7457	Trust: 0.1

REFERENCES

url:	http://seclists.org/fulldisclosure/2017/apr/51	Trust: 2.6
url:	http://hyp3rlinx.altervista.org/advisories/moxa-mx-aopc-server-v1.5-xml-external-entity.txt	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2017-7457	Trust: 1.4
url:	https://www.exploit-db.com/exploits/41852/	Trust: 1.3
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-7457	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/611.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2017-05520 // VULHUB: VHN-115660 // VULMON: CVE-2017-7457 // JVNDB: JVNDB-2017-003172 // CNNVD: CNNVD-201704-830 // NVD: CVE-2017-7457

SOURCES

db:	IVD	id:	5cbd2f0e-ae32-45c5-b0c2-bc76afecdeb8
db:	CNVD	id:	CNVD-2017-05520
db:	VULHUB	id:	VHN-115660
db:	VULMON	id:	CVE-2017-7457
db:	JVNDB	id:	JVNDB-2017-003172
db:	CNNVD	id:	CNNVD-201704-830
db:	NVD	id:	CVE-2017-7457

LAST UPDATE DATE

2025-04-20T23:22:22.916000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-05520	date:	2017-04-27T00:00:00
db:	VULHUB	id:	VHN-115660	date:	2017-08-16T00:00:00
db:	VULMON	id:	CVE-2017-7457	date:	2017-08-16T00:00:00
db:	JVNDB	id:	JVNDB-2017-003172	date:	2017-05-18T00:00:00
db:	CNNVD	id:	CNNVD-201704-830	date:	2017-04-28T00:00:00
db:	NVD	id:	CVE-2017-7457	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	IVD	id:	5cbd2f0e-ae32-45c5-b0c2-bc76afecdeb8	date:	2017-04-27T00:00:00
db:	CNVD	id:	CNVD-2017-05520	date:	2017-04-26T00:00:00
db:	VULHUB	id:	VHN-115660	date:	2017-04-14T00:00:00
db:	VULMON	id:	CVE-2017-7457	date:	2017-04-14T00:00:00
db:	JVNDB	id:	JVNDB-2017-003172	date:	2017-05-18T00:00:00
db:	CNNVD	id:	CNNVD-201704-830	date:	2017-04-28T00:00:00
db:	NVD	id:	CVE-2017-7457	date:	2017-04-14T14:59:00.463