Sign-up

ID

VAR-201803-0135


CVE

CVE-2017-14384


TITLE

Dell Storage Manager Path traversal vulnerability

Trust: 1.4

sources: JVNDB: JVNDB-2017-012971 // CNNVD: CNNVD-201709-448

DESCRIPTION

In Dell Storage Manager versions earlier than 16.3.20, the EMConfigMigration service is affected by a directory traversal vulnerability. A remote malicious user could potentially exploit this vulnerability to read unauthorized files by supplying specially crafted strings in input parameters of the application. A malicious user cannot delete or modify any files via this vulnerability. This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Dell EMC Storage Manager. Authentication is not required to exploit this vulnerability.The specific flaw exists within the EmConfigMigration servlet, which listens on TCP port 3033 by default. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. Remote attackers may use a specially crafted request with directory-traversal sequences ('../') to retrieve sensitive information. This may aid in further attacks

Trust: 2.61

sources: NVD: CVE-2017-14384 // JVNDB: JVNDB-2017-012971 // ZDI: ZDI-18-129 // BID: 103467 // VULHUB: VHN-105101

AFFECTED PRODUCTS

vendor:dellmodel:storage managerscope:ltversion:16.3.20

Trust: 1.8

vendor:dell emcmodel:storage managerscope: - version: -

Trust: 0.7

vendor:dellmodel:storage manager r3.10scope:eqversion:2016

Trust: 0.3

vendor:dellmodel:storage manager r3.20scope:neversion:2016

Trust: 0.3

sources: ZDI: ZDI-18-129 // BID: 103467 // JVNDB: JVNDB-2017-012971 // NVD: CVE-2017-14384

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-14384
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-14384
value: MEDIUM

Trust: 0.8

ZDI: CVE-2017-14384
value: HIGH

Trust: 0.7

CNNVD: CNNVD-201709-448
value: MEDIUM

Trust: 0.6

VULHUB: VHN-105101
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-14384
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

ZDI: CVE-2017-14384
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.7

VULHUB: VHN-105101
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-14384
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: ZDI: ZDI-18-129 // VULHUB: VHN-105101 // JVNDB: JVNDB-2017-012971 // CNNVD: CNNVD-201709-448 // NVD: CVE-2017-14384

PROBLEMTYPE DATA

problemtype:CWE-22

Trust: 1.9

sources: VULHUB: VHN-105101 // JVNDB: JVNDB-2017-012971 // NVD: CVE-2017-14384

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201709-448

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-201709-448

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-012971

PATCH
title:Dell Storage Manager 2016 R3 Release Notesurl:http://topics-cdn.dell.com/pdf/storage-sc2000_release-notes24_en-us.pdf
Trust: 0.8
title:Dell EMC has issued an update to correct this vulnerability.url:http://topics-cdn.dell.com/pdf/storage-sc2000_release%20notes24_en-us.pdf
Trust: 0.7
sources:
            
            
            ZDI: ZDI-18-129 // 
            
            
            
            JVNDB: JVNDB-2017-012971

EXTERNAL IDS
db:NVDid:CVE-2017-14384
Trust: 3.5
db:BIDid:103467
Trust: 1.4
db:JVNDBid:JVNDB-2017-012971
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-5293
Trust: 0.7
db:ZDIid:ZDI-18-129
Trust: 0.7
db:CNNVDid:CNNVD-201709-448
Trust: 0.7
db:NSFOCUSid:39174
Trust: 0.6
db:VULHUBid:VHN-105101
Trust: 0.1
sources:
            
            
            ZDI: ZDI-18-129 // 
            
            
            
            VULHUB: VHN-105101 // 
            
            
            
            BID: 103467 // 
            
            
            
            JVNDB: JVNDB-2017-012971 // 
            
            
            
            CNNVD: CNNVD-201709-448 // 
            
            
            
            NVD: CVE-2017-14384

REFERENCES
url:http://topics-cdn.dell.com/pdf/storage-sc2000_release%20notes24_en-us.pdf
Trust: 2.7
url:http://www.securityfocus.com/bid/103467
Trust: 1.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-14384
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-14384
Trust: 0.8
url:http://www.nsfocus.net/vulndb/39174
Trust: 0.6
url:http://dell.com
Trust: 0.3
sources:
            
            
            ZDI: ZDI-18-129 // 
            
            
            
            VULHUB: VHN-105101 // 
            
            
            
            BID: 103467 // 
            
            
            
            JVNDB: JVNDB-2017-012971 // 
            
            
            
            CNNVD: CNNVD-201709-448 // 
            
            
            
            NVD: CVE-2017-14384

CREDITS
rgod
Trust: 0.7
sources:
            
            
            ZDI: ZDI-18-129

SOURCES
db:ZDIid:ZDI-18-129
db:VULHUBid:VHN-105101
db:BIDid:103467
db:JVNDBid:JVNDB-2017-012971
db:CNNVDid:CNNVD-201709-448
db:NVDid:CVE-2017-14384

LAST UPDATE DATE
2024-11-23T22:45:25.941000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-18-129date:2018-01-18T00:00:00
db:VULHUBid:VHN-105101date:2018-04-12T00:00:00
db:BIDid:103467date:2018-03-16T00:00:00
db:JVNDBid:JVNDB-2017-012971date:2018-05-14T00:00:00
db:CNNVDid:CNNVD-201709-448date:2018-03-19T00:00:00
db:NVDid:CVE-2017-14384date:2024-11-21T03:12:40.640

SOURCES RELEASE DATE
db:ZDIid:ZDI-18-129date:2018-01-18T00:00:00
db:VULHUBid:VHN-105101date:2018-03-16T00:00:00
db:BIDid:103467date:2018-03-16T00:00:00
db:JVNDBid:JVNDB-2017-012971date:2018-05-14T00:00:00
db:CNNVDid:CNNVD-201709-448date:2017-09-13T00:00:00
db:NVDid:CVE-2017-14384date:2018-03-16T20:29:00.290