Sign-up

ID

VAR-201802-0662


CVE

CVE-2017-9447


TITLE

Parallels Remote Application Server path traversal vulnerability

Trust: 1.4

sources: CNVD: CNVD-2018-06546 // JVNDB: JVNDB-2017-012796

DESCRIPTION

In the web interface of Parallels Remote Application Server (RAS) 15.5 Build 16140, a vulnerability exists due to improper validation of the file path when requesting a resource under the "RASHTML5Gateway" directory. A remote, unauthenticated attacker could exploit this weakness to read arbitrary files from the vulnerable system using path traversal sequences. This solution can provide remote access to virtual desktops and applications for devices on the network

Trust: 2.16

sources: NVD: CVE-2017-9447 // JVNDB: JVNDB-2017-012796 // CNVD: CNVD-2018-06546

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2018-06546

AFFECTED PRODUCTS

vendor:parallelsmodel:remote application serverscope:eqversion:15.5

Trust: 1.6

vendor:parallelsmodel:remote application serverscope:eqversion:15.5 build 16140

Trust: 0.8

vendor:parallelsmodel:remote application server buildscope:eqversion:15.516140

Trust: 0.6

sources: CNVD: CNVD-2018-06546 // JVNDB: JVNDB-2017-012796 // CNNVD: CNNVD-201706-126 // NVD: CVE-2017-9447

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-9447
value: HIGH

Trust: 1.0

NVD: CVE-2017-9447
value: HIGH

Trust: 0.8

CNVD: CNVD-2018-06546
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201706-126
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2017-9447
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2018-06546
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2017-9447
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2018-06546 // JVNDB: JVNDB-2017-012796 // CNNVD: CNNVD-201706-126 // NVD: CVE-2017-9447

PROBLEMTYPE DATA

problemtype:CWE-22

Trust: 1.8

sources: JVNDB: JVNDB-2017-012796 // NVD: CVE-2017-9447

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201706-126

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-201706-126

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-012796

PATCH
title:Parallels Remote Application Serverurl:https://www.parallels.com/jp/products/ras/remote-application-server
Trust: 0.8
title:Patch for Parallels Remote Application Server path traversal vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/123703
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2018-06546 // 
            
            
            
            JVNDB: JVNDB-2017-012796

EXTERNAL IDS
db:NVDid:CVE-2017-9447
Trust: 3.0
db:EXPLOIT-DBid:442321
Trust: 1.0
db:JVNDBid:JVNDB-2017-012796
Trust: 0.8
db:CNVDid:CNVD-2018-06546
Trust: 0.6
db:CNNVDid:CNNVD-201706-126
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2018-06546 // 
            
            
            
            JVNDB: JVNDB-2017-012796 // 
            
            
            
            CNNVD: CNNVD-201706-126 // 
            
            
            
            NVD: CVE-2017-9447

REFERENCES
url:https://blog.runesec.com/2018/02/22/parallels-ras-path-traversal/
Trust: 3.0
url:https://www.exploit-db.com/exploits/442321/
Trust: 1.0
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-9447
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-9447
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2018-06546 // 
            
            
            
            JVNDB: JVNDB-2017-012796 // 
            
            
            
            CNNVD: CNNVD-201706-126 // 
            
            
            
            NVD: CVE-2017-9447

SOURCES
db:CNVDid:CNVD-2018-06546
db:JVNDBid:JVNDB-2017-012796
db:CNNVDid:CNNVD-201706-126
db:NVDid:CVE-2017-9447

LAST UPDATE DATE
2024-11-23T23:12:15.019000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2018-06546date:2018-03-28T00:00:00
db:JVNDBid:JVNDB-2017-012796date:2018-04-18T00:00:00
db:CNNVDid:CNNVD-201706-126date:2018-03-01T00:00:00
db:NVDid:CVE-2017-9447date:2024-11-21T03:36:09.093

SOURCES RELEASE DATE
db:CNVDid:CNVD-2018-06546date:2018-03-28T00:00:00
db:JVNDBid:JVNDB-2017-012796date:2018-04-18T00:00:00
db:CNNVDid:CNNVD-201706-126date:2017-06-06T00:00:00
db:NVDid:CVE-2017-9447date:2018-02-28T15:29:00.273