Sign-up

ID

VAR-201710-0641


CVE

CVE-2017-12263


TITLE

Cisco License Manager Path traversal vulnerability in software

Trust: 0.8

sources: JVNDB: JVNDB-2017-009265

DESCRIPTION

A vulnerability in the web interface of Cisco License Manager software could allow an unauthenticated, remote attacker to download and view files within the application that should be restricted, aka Directory Traversal. The issue is due to improper sanitization of user-supplied input in HTTP request parameters that describe filenames. An attacker could exploit this vulnerability by using directory traversal techniques to submit a path to a desired file location. An exploit could allow the attacker to view application files that may contain sensitive information. Cisco Bug IDs: CSCvd83577. Vendors have confirmed this vulnerability Bug ID CSCvd83577 It is released as.Information may be obtained. Authentication is not required to exploit this vulnerability.The specific flaw exists within the ReportCSV servlet, which listens on TCP port 8080 by default. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to read any files accessible to the SYSTEM user. This software is used to activate Cisco equipment and software, and obtain equipment licenses or product keys online

Trust: 2.61

sources: NVD: CVE-2017-12263 // JVNDB: JVNDB-2017-009265 // ZDI: ZDI-17-837 // BID: 101169 // VULHUB: VHN-102768

AFFECTED PRODUCTS

vendor:ciscomodel:license managerscope:eqversion:3.2.6

Trust: 1.9

vendor:ciscomodel:license manager softwarescope: - version: -

Trust: 0.8

vendor:ciscomodel:license manager serverscope: - version: -

Trust: 0.7

sources: ZDI: ZDI-17-837 // BID: 101169 // JVNDB: JVNDB-2017-009265 // CNNVD: CNNVD-201710-055 // NVD: CVE-2017-12263

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-12263
value: HIGH

Trust: 1.0

NVD: CVE-2017-12263
value: HIGH

Trust: 0.8

ZDI: CVE-2017-12263
value: HIGH

Trust: 0.7

CNNVD: CNNVD-201710-055
value: HIGH

Trust: 0.6

VULHUB: VHN-102768
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-12263
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

ZDI: CVE-2017-12263
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.7

VULHUB: VHN-102768
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-12263
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: ZDI: ZDI-17-837 // VULHUB: VHN-102768 // JVNDB: JVNDB-2017-009265 // CNNVD: CNNVD-201710-055 // NVD: CVE-2017-12263

PROBLEMTYPE DATA

problemtype:CWE-22

Trust: 1.9

sources: VULHUB: VHN-102768 // JVNDB: JVNDB-2017-009265 // NVD: CVE-2017-12263

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201710-055

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-201710-055

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-009265

PATCH
title:cisco-sa-20171004-clmurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-clm
Trust: 1.5
sources:
            
            
            ZDI: ZDI-17-837 // 
            
            
            
            JVNDB: JVNDB-2017-009265

EXTERNAL IDS
db:NVDid:CVE-2017-12263
Trust: 3.5
db:BIDid:101169
Trust: 2.0
db:ZDIid:ZDI-17-837
Trust: 1.0
db:JVNDBid:JVNDB-2017-009265
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-4635
Trust: 0.7
db:CNNVDid:CNNVD-201710-055
Trust: 0.7
db:VULHUBid:VHN-102768
Trust: 0.1
sources:
            
            
            ZDI: ZDI-17-837 // 
            
            
            
            VULHUB: VHN-102768 // 
            
            
            
            BID: 101169 // 
            
            
            
            JVNDB: JVNDB-2017-009265 // 
            
            
            
            CNNVD: CNNVD-201710-055 // 
            
            
            
            NVD: CVE-2017-12263

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20171004-clm
Trust: 2.7
url:http://www.securityfocus.com/bid/101169
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-12263
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-12263
Trust: 0.8
url:http://www.cisco.com/
Trust: 0.3
url:http://www.zerodayinitiative.com/advisories/zdi-17-837/
Trust: 0.3
sources:
            
            
            ZDI: ZDI-17-837 // 
            
            
            
            VULHUB: VHN-102768 // 
            
            
            
            BID: 101169 // 
            
            
            
            JVNDB: JVNDB-2017-009265 // 
            
            
            
            CNNVD: CNNVD-201710-055 // 
            
            
            
            NVD: CVE-2017-12263

CREDITS
rgod
Trust: 0.7
sources:
            
            
            ZDI: ZDI-17-837

SOURCES
db:ZDIid:ZDI-17-837
db:VULHUBid:VHN-102768
db:BIDid:101169
db:JVNDBid:JVNDB-2017-009265
db:CNNVDid:CNNVD-201710-055
db:NVDid:CVE-2017-12263

LAST UPDATE DATE
2025-04-20T23:35:41.895000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-17-837date:2017-10-04T00:00:00
db:VULHUBid:VHN-102768date:2019-10-09T00:00:00
db:BIDid:101169date:2017-10-04T00:00:00
db:JVNDBid:JVNDB-2017-009265date:2017-11-07T00:00:00
db:CNNVDid:CNNVD-201710-055date:2019-10-17T00:00:00
db:NVDid:CVE-2017-12263date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:ZDIid:ZDI-17-837date:2017-10-04T00:00:00
db:VULHUBid:VHN-102768date:2017-10-05T00:00:00
db:BIDid:101169date:2017-10-04T00:00:00
db:JVNDBid:JVNDB-2017-009265date:2017-11-07T00:00:00
db:CNNVDid:CNNVD-201710-055date:2017-10-12T00:00:00
db:NVDid:CVE-2017-12263date:2017-10-05T07:29:00.510