Details of VAR-201712-0240

ID

VAR-201712-0240

CVE

CVE-2017-15524

TITLE

Kemp Application Firewall Pack Vulnerabilities related to security functions in components

Trust: 0.8

sources: JVNDB: JVNDB-2017-011621

DESCRIPTION

The Application Firewall Pack (AFP, aka Web Application Firewall) component on Kemp Load Balancer devices with software before 7.2.40.1 allows a Security Feature Bypass via an HTTP POST request. Kemp Load Balancer is a load balancing device produced by Kemp Technologies in the United States. There is a security vulnerability in the AFP component of Kemp Load Balancer versions 7.1.30 to 7.2.40

Trust: 1.71

sources: NVD: CVE-2017-15524 // JVNDB: JVNDB-2017-011621 // VULHUB: VHN-106355

AFFECTED PRODUCTS

vendor:	kemptechnologies	model:	web application firewall	scope:	lte	version:	7.2.40	Trust: 1.0
vendor:	kemp	model:	web application firewall	scope:	lt	version:	7.2.40.1	Trust: 0.8
vendor:	kemptechnologies	model:	web application firewall	scope:	eq	version:	7.2.40	Trust: 0.6

sources: JVNDB: JVNDB-2017-011621 // CNNVD: CNNVD-201712-738 // NVD: CVE-2017-15524

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-15524
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2017-15524
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-201712-738
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-106355
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-15524
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-106355
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-15524
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	5.2
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-106355 // JVNDB: JVNDB-2017-011621 // CNNVD: CNNVD-201712-738 // NVD: CVE-2017-15524

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	CWE-254	Trust: 0.9

sources: VULHUB: VHN-106355 // JVNDB: JVNDB-2017-011621 // NVD: CVE-2017-15524

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201712-738

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201712-738

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-011621

PATCH

title:	KEMP LoadMaster Release Notes	url:	https://kemptechnologies.com/files/assets/documentation/7.2/release-notes/Release_Notes-LoadMaster.pdf?pdf-file-view=1	Trust: 0.8
title:	Kemp Load Balancer Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=77230	Trust: 0.6

sources: JVNDB: JVNDB-2017-011621 // CNNVD: CNNVD-201712-738

EXTERNAL IDS

db:	NVD	id:	CVE-2017-15524	Trust: 2.5
db:	JVNDB	id:	JVNDB-2017-011621	Trust: 0.8
db:	CNNVD	id:	CNNVD-201712-738	Trust: 0.7
db:	PACKETSTORM	id:	145433	Trust: 0.1
db:	VULHUB	id:	VHN-106355	Trust: 0.1

sources: VULHUB: VHN-106355 // JVNDB: JVNDB-2017-011621 // CNNVD: CNNVD-201712-738 // NVD: CVE-2017-15524

REFERENCES

url:	http://www.securityfocus.com/archive/1/541602/100/0/threaded	Trust: 1.7
url:	https://kemptechnologies.com/files/assets/documentation/7.2/release-notes/release_notes-loadmaster.pdf?pdf-file-view=1	Trust: 1.7
url:	https://www.pallas.com/advisories/cve_2017_15524_kemp_afp_waf_bug_on_post_data	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-15524	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-15524	Trust: 0.8
url:	https://www.pallas.com/advisories/cve-2017-15524-kemp-afp-waf-bug-on-post-data	Trust: 0.8

sources: VULHUB: VHN-106355 // JVNDB: JVNDB-2017-011621 // CNNVD: CNNVD-201712-738 // NVD: CVE-2017-15524

SOURCES

db:	VULHUB	id:	VHN-106355
db:	JVNDB	id:	JVNDB-2017-011621
db:	CNNVD	id:	CNNVD-201712-738
db:	NVD	id:	CVE-2017-15524

LAST UPDATE DATE

2025-04-20T23:38:21.281000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-106355	date:	2019-10-03T00:00:00
db:	JVNDB	id:	JVNDB-2017-011621	date:	2018-01-23T00:00:00
db:	CNNVD	id:	CNNVD-201712-738	date:	2019-10-23T00:00:00
db:	NVD	id:	CVE-2017-15524	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-106355	date:	2017-12-19T00:00:00
db:	JVNDB	id:	JVNDB-2017-011621	date:	2018-01-23T00:00:00
db:	CNNVD	id:	CNNVD-201712-738	date:	2017-12-21T00:00:00
db:	NVD	id:	CVE-2017-15524	date:	2017-12-19T02:29:41.127