Details of VAR-201705-3736

ID

VAR-201705-3736

CVE

CVE-2017-6621

TITLE

Cisco Prime Collaboration Provisioning of Web Vulnerabilities accessing critical data in the interface

Trust: 0.8

sources: JVNDB: JVNDB-2017-004116

DESCRIPTION

A vulnerability in the web interface of Cisco Prime Collaboration Provisioning could allow an unauthenticated, remote attacker to access sensitive data. The attacker could use this information to conduct additional reconnaissance attacks. The vulnerability is due to insufficient protection of sensitive data when responding to an HTTP request on the web interface. An attacker could exploit the vulnerability by sending a crafted HTTP request to the application to access specific system files. An exploit could allow the attacker to obtain sensitive information about the application which could include user credentials. This vulnerability affects Cisco Prime Collaboration Provisioning Software Releases 10.6 through 11.5. Cisco Bug IDs: CSCvc99626. Authentication is not required to exploit this vulnerability.The specific flaw exists within the logconfigtracer.jsp page, which listens on TCP port 443 by default. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose any files accessible to the root user. This may result in further attacks. The software provides IP communications services functionality for IP telephony, voice mail, and unified communications environments

Trust: 2.61

sources: NVD: CVE-2017-6621 // JVNDB: JVNDB-2017-004116 // ZDI: ZDI-17-447 // BID: 98522 // VULHUB: VHN-114824

AFFECTED PRODUCTS

vendor:	cisco	model:	prime collaboration provisioning	scope:	eq	version:	10.5.1	Trust: 1.9
vendor:	cisco	model:	prime collaboration provisioning	scope:	eq	version:	11.1.0	Trust: 1.6
vendor:	cisco	model:	prime collaboration provisioning	scope:	eq	version:	10.6.0	Trust: 1.6
vendor:	cisco	model:	prime collaboration provisioning	scope:	eq	version:	10.6.2	Trust: 1.6
vendor:	cisco	model:	prime collaboration provisioning	scope:	eq	version:	9.0.0	Trust: 1.6
vendor:	cisco	model:	prime collaboration provisioning	scope:	eq	version:	10.5.0	Trust: 1.6
vendor:	cisco	model:	prime collaboration provisioning	scope:	eq	version:	10.0.0	Trust: 1.6
vendor:	cisco	model:	prime collaboration provisioning	scope:	eq	version:	9.5.0	Trust: 1.6
vendor:	cisco	model:	prime collaboration provisioning	scope:	eq	version:	11.5.0	Trust: 1.6
vendor:	cisco	model:	prime collaboration provisioning	scope:	eq	version:	11.0.0	Trust: 1.6
vendor:	cisco	model:	prime collaboration provisioning	scope:	eq	version:	10.6 to 11.5	Trust: 0.8
vendor:	cisco	model:	prime collaboration provisioning	scope:	-	version:	-	Trust: 0.7
vendor:	cisco	model:	prime collaboration provisioning	scope:	eq	version:	9.5	Trust: 0.3
vendor:	cisco	model:	prime collaboration provisioning	scope:	eq	version:	9.0	Trust: 0.3
vendor:	cisco	model:	prime collaboration provisioning	scope:	eq	version:	11.5	Trust: 0.3
vendor:	cisco	model:	prime collaboration provisioning	scope:	eq	version:	11.2	Trust: 0.3
vendor:	cisco	model:	prime collaboration provisioning	scope:	eq	version:	11.0	Trust: 0.3
vendor:	cisco	model:	prime collaboration provisioning sp2	scope:	eq	version:	10.6	Trust: 0.3
vendor:	cisco	model:	prime collaboration provisioning	scope:	eq	version:	10.6	Trust: 0.3
vendor:	cisco	model:	prime collaboration provisioning	scope:	eq	version:	10.5	Trust: 0.3
vendor:	cisco	model:	prime collaboration provisioning	scope:	eq	version:	10.0	Trust: 0.3
vendor:	cisco	model:	prime collaboration provisioning	scope:	ne	version:	12.1	Trust: 0.3
vendor:	cisco	model:	prime collaboration provisioning	scope:	ne	version:	11.6	Trust: 0.3

sources: ZDI: ZDI-17-447 // BID: 98522 // JVNDB: JVNDB-2017-004116 // CNNVD: CNNVD-201705-849 // NVD: CVE-2017-6621

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-6621
value:	HIGH
Trust: 1.0
NVD:	CVE-2017-6621
value:	HIGH
Trust: 0.8
ZDI:	CVE-2017-6621
value:	HIGH
Trust: 0.7
CNNVD:	CNNVD-201705-849
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-114824
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-6621
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
ZDI:	CVE-2017-6621
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.7
VULHUB:	VHN-114824
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-6621
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: ZDI: ZDI-17-447 // VULHUB: VHN-114824 // JVNDB: JVNDB-2017-004116 // CNNVD: CNNVD-201705-849 // NVD: CVE-2017-6621

PROBLEMTYPE DATA

problemtype:

CWE-200

Trust: 1.9

sources: VULHUB: VHN-114824 // JVNDB: JVNDB-2017-004116 // NVD: CVE-2017-6621

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201705-849

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201705-849

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-004116

PATCH

title:	cisco-sa-20170517-pcp2	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170517-pcp2	Trust: 1.5
title:	Cisco Prime Collaboration Provisioning Software Repair measures for information disclosure vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=70380	Trust: 0.6

sources: ZDI: ZDI-17-447 // JVNDB: JVNDB-2017-004116 // CNNVD: CNNVD-201705-849

EXTERNAL IDS

db:	NVD	id:	CVE-2017-6621	Trust: 3.5
db:	BID	id:	98522	Trust: 1.4
db:	SECTRACK	id:	1038508	Trust: 1.1
db:	JVNDB	id:	JVNDB-2017-004116	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-4468	Trust: 0.7
db:	ZDI	id:	ZDI-17-447	Trust: 0.7
db:	CNNVD	id:	CNNVD-201705-849	Trust: 0.7
db:	NSFOCUS	id:	36719	Trust: 0.6
db:	VULHUB	id:	VHN-114824	Trust: 0.1

sources: ZDI: ZDI-17-447 // VULHUB: VHN-114824 // BID: 98522 // JVNDB: JVNDB-2017-004116 // CNNVD: CNNVD-201705-849 // NVD: CVE-2017-6621

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170517-pcp2	Trust: 2.7
url:	http://www.securityfocus.com/bid/98522	Trust: 1.1
url:	http://www.securitytracker.com/id/1038508	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-6621	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-6621	Trust: 0.8
url:	http://www.nsfocus.net/vulndb/36719	Trust: 0.6
url:	http://www.cisco.com/	Trust: 0.3

sources: ZDI: ZDI-17-447 // VULHUB: VHN-114824 // BID: 98522 // JVNDB: JVNDB-2017-004116 // CNNVD: CNNVD-201705-849 // NVD: CVE-2017-6621

CREDITS

rgod

Trust: 0.7

sources: ZDI: ZDI-17-447

SOURCES

db:	ZDI	id:	ZDI-17-447
db:	VULHUB	id:	VHN-114824
db:	BID	id:	98522
db:	JVNDB	id:	JVNDB-2017-004116
db:	CNNVD	id:	CNNVD-201705-849
db:	NVD	id:	CVE-2017-6621

LAST UPDATE DATE

2025-04-20T23:32:57.853000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-17-447	date:	2017-06-26T00:00:00
db:	VULHUB	id:	VHN-114824	date:	2017-07-08T00:00:00
db:	BID	id:	98522	date:	2017-05-17T00:00:00
db:	JVNDB	id:	JVNDB-2017-004116	date:	2017-06-16T00:00:00
db:	CNNVD	id:	CNNVD-201705-849	date:	2017-05-25T00:00:00
db:	NVD	id:	CVE-2017-6621	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-17-447	date:	2017-06-26T00:00:00
db:	VULHUB	id:	VHN-114824	date:	2017-05-18T00:00:00
db:	BID	id:	98522	date:	2017-05-17T00:00:00
db:	JVNDB	id:	JVNDB-2017-004116	date:	2017-06-16T00:00:00
db:	CNNVD	id:	CNNVD-201705-849	date:	2017-05-25T00:00:00
db:	NVD	id:	CVE-2017-6621	date:	2017-05-18T19:29:00.203