Details of VAR-201710-0249

ID

VAR-201710-0249

CVE

CVE-2017-10617

TITLE

Juniper Networks Contrail In XML External entity vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2017-009388

DESCRIPTION

The ifmap service that comes bundled with Contrail has an XML External Entity (XXE) vulnerability that may allow an attacker to retrieve sensitive system files. Affected releases are Juniper Networks Contrail 2.2 prior to 2.21.4; 3.0 prior to 3.0.3.4; 3.1 prior to 3.1.4.0; 3.2 prior to 3.2.5.0. CVE-2017-10616 and CVE-2017-10617 can be chained together and have a combined CVSSv3 score of 5.8 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N). This vulnerability CVE-2017-10616 And related issues.Information may be obtained. The solution provides intelligent automation, application security and reliability for cloud and NFV

Trust: 1.8

sources: NVD: CVE-2017-10617 // JVNDB: JVNDB-2017-009388 // VULHUB: VHN-100957 // VULMON: CVE-2017-10617

AFFECTED PRODUCTS

vendor:	juniper	model:	contrail	scope:	lt	version:	3.2.5.0	Trust: 1.0
vendor:	juniper	model:	contrail	scope:	gte	version:	3.2	Trust: 1.0
vendor:	juniper	model:	contrail	scope:	lt	version:	3.0.3.4	Trust: 1.0
vendor:	juniper	model:	contrail	scope:	gte	version:	3.1	Trust: 1.0
vendor:	juniper	model:	contrail	scope:	lt	version:	3.1.4.0	Trust: 1.0
vendor:	juniper	model:	contrail	scope:	gte	version:	3.0	Trust: 1.0
vendor:	juniper	model:	contrail	scope:	lt	version:	2.21.4	Trust: 1.0
vendor:	juniper	model:	contrail	scope:	gte	version:	2.2	Trust: 1.0
vendor:	juniper	model:	contrail	scope:	lt	version:	3.1	Trust: 0.8
vendor:	juniper	model:	contrail	scope:	lt	version:	3.0	Trust: 0.8
vendor:	juniper	model:	contrail	scope:	eq	version:	3.2.5.0	Trust: 0.8
vendor:	juniper	model:	contrail	scope:	lt	version:	3.2	Trust: 0.8
vendor:	juniper	model:	contrail	scope:	eq	version:	3.1.4.0	Trust: 0.8
vendor:	juniper	model:	contrail	scope:	lt	version:	2.2	Trust: 0.8
vendor:	juniper	model:	contrail	scope:	eq	version:	3.0.3.4	Trust: 0.8
vendor:	juniper	model:	contrail	scope:	eq	version:	2.21.4	Trust: 0.8
vendor:	juniper	model:	contrail	scope:	eq	version:	2.2	Trust: 0.6
vendor:	juniper	model:	contrail	scope:	eq	version:	3.1	Trust: 0.6
vendor:	juniper	model:	contrail	scope:	eq	version:	3.0	Trust: 0.6
vendor:	juniper	model:	contrail	scope:	eq	version:	3.2	Trust: 0.6

sources: JVNDB: JVNDB-2017-009388 // CNNVD: CNNVD-201710-510 // NVD: CVE-2017-10617

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-10617
value:	MEDIUM
Trust: 1.0
sirt@juniper.net:	CVE-2017-10617
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-10617
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201710-510
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-100957
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2017-10617
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-10617
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-100957
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-10617
baseSeverity:	MEDIUM
baseScore:	5.0
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.1
impactScore:	1.4
version:	3.1
Trust: 2.0
NVD:	CVE-2017-10617
baseSeverity:	MEDIUM
baseScore:	5.0
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-100957 // VULMON: CVE-2017-10617 // JVNDB: JVNDB-2017-009388 // CNNVD: CNNVD-201710-510 // NVD: CVE-2017-10617 // NVD: CVE-2017-10617

PROBLEMTYPE DATA

problemtype:

CWE-611

Trust: 1.9

sources: VULHUB: VHN-100957 // JVNDB: JVNDB-2017-009388 // NVD: CVE-2017-10617

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201710-510

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201710-510

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-009388

PATCH

title:	JSA10819	url:	https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10819&actp=METADATA	Trust: 0.8
title:	Juniper Contrail Security vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=75546	Trust: 0.6
title:	-	url:	https://github.com/Live-Hack-CVE/CVE-2017-10617	Trust: 0.1
title:	-	url:	https://github.com/Live-Hack-CVE/CVE-2017-10616	Trust: 0.1

sources: VULMON: CVE-2017-10617 // JVNDB: JVNDB-2017-009388 // CNNVD: CNNVD-201710-510

EXTERNAL IDS

db:	NVD	id:	CVE-2017-10617	Trust: 2.6
db:	JUNIPER	id:	JSA10819	Trust: 1.8
db:	JVNDB	id:	JVNDB-2017-009388	Trust: 0.8
db:	CNNVD	id:	CNNVD-201710-510	Trust: 0.7
db:	VULHUB	id:	VHN-100957	Trust: 0.1
db:	VULMON	id:	CVE-2017-10617	Trust: 0.1

sources: VULHUB: VHN-100957 // VULMON: CVE-2017-10617 // JVNDB: JVNDB-2017-009388 // CNNVD: CNNVD-201710-510 // NVD: CVE-2017-10617

REFERENCES

url:	https://kb.juniper.net/jsa10819	Trust: 1.8
url:	https://github.com/orangecertcc/security-research/security/advisories/ghsa-wjp8-8qf6-vqmc	Trust: 1.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-10617	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-10617	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/611.html	Trust: 0.1
url:	https://github.com/live-hack-cve/cve-2017-10617	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-100957 // VULMON: CVE-2017-10617 // JVNDB: JVNDB-2017-009388 // CNNVD: CNNVD-201710-510 // NVD: CVE-2017-10617

SOURCES

db:	VULHUB	id:	VHN-100957
db:	VULMON	id:	CVE-2017-10617
db:	JVNDB	id:	JVNDB-2017-009388
db:	CNNVD	id:	CNNVD-201710-510
db:	NVD	id:	CVE-2017-10617

LAST UPDATE DATE

2025-04-20T23:12:53.869000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-100957	date:	2023-01-30T00:00:00
db:	VULMON	id:	CVE-2017-10617	date:	2023-01-13T00:00:00
db:	JVNDB	id:	JVNDB-2017-009388	date:	2017-11-10T00:00:00
db:	CNNVD	id:	CNNVD-201710-510	date:	2023-01-16T00:00:00
db:	NVD	id:	CVE-2017-10617	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-100957	date:	2017-10-13T00:00:00
db:	VULMON	id:	CVE-2017-10617	date:	2017-10-13T00:00:00
db:	JVNDB	id:	JVNDB-2017-009388	date:	2017-11-10T00:00:00
db:	CNNVD	id:	CNNVD-201710-510	date:	2017-10-18T00:00:00
db:	NVD	id:	CVE-2017-10617	date:	2017-10-13T17:29:00.817