Sign-up

ID

VAR-201807-0232


CVE

CVE-2017-0913


TITLE

Ubiquiti UCRM Vulnerabilities related to authorization, permissions, and access control

Trust: 0.8

sources: JVNDB: JVNDB-2018-007703

DESCRIPTION

Ubiquiti UCRM versions 2.3.0 to 2.7.7 allow an authenticated user to read arbitrary files in the local file system. Note that by default, the local file system is isolated in a docker container. Successful exploitation requires valid credentials to an account with "Edit" access to "System Customization". Ubiquiti UCRM Contains vulnerabilities related to authorization, permissions, and access control.Information may be obtained. Ubiquiti UCRM is a billing and customer management system developed by Ubiquiti Networks. The system has functions such as customer management, automatic settlement and network monitoring

Trust: 1.71

sources: NVD: CVE-2017-0913 // JVNDB: JVNDB-2018-007703 // VULHUB: VHN-99732

AFFECTED PRODUCTS

vendor:ubntmodel:ucrmscope:lteversion:2.7.7

Trust: 1.0

vendor:ubntmodel:ucrmscope:gteversion:2.3.0

Trust: 1.0

vendor:ubiquitimodel:ucrmscope:eqversion:2.3.0 to 2.7.7

Trust: 0.8

sources: JVNDB: JVNDB-2018-007703 // NVD: CVE-2017-0913

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-0913
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-0913
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201807-2098
value: MEDIUM

Trust: 0.6

VULHUB: VHN-99732
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2017-0913
severity: LOW
baseScore: 1.9
vectorString: AV:L/AC:M/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.4
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-99732
severity: LOW
baseScore: 1.9
vectorString: AV:L/AC:M/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.4
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-0913
baseSeverity: MEDIUM
baseScore: 4.7
vectorString: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: LOCAL
attackComplexity: HIGH
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.0
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-99732 // JVNDB: JVNDB-2018-007703 // CNNVD: CNNVD-201807-2098 // NVD: CVE-2017-0913

PROBLEMTYPE DATA

problemtype:CWE-732

Trust: 1.1

problemtype:CWE-264

Trust: 0.9

sources: VULHUB: VHN-99732 // JVNDB: JVNDB-2018-007703 // NVD: CVE-2017-0913

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201807-2098

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201807-2098

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-007703

PATCH
title:New UCRM upgrades available: 2.8.2 and 2.9.0-beta3url:https://community.ubnt.com/t5/UCRM/New-UCRM-upgrades-available-2-8-2-and-2-9-0-beta3/td-p/2211814
Trust: 0.8
title:Ubiquiti UCRM Fixes for permission permissions and access control vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=100306
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-007703 // 
            
            
            
            CNNVD: CNNVD-201807-2098

EXTERNAL IDS
db:NVDid:CVE-2017-0913
Trust: 2.5
db:HACKERONEid:301406
Trust: 1.7
db:JVNDBid:JVNDB-2018-007703
Trust: 0.8
db:CNNVDid:CNNVD-201807-2098
Trust: 0.7
db:VULHUBid:VHN-99732
Trust: 0.1
sources:
            
            
            VULHUB: VHN-99732 // 
            
            
            
            JVNDB: JVNDB-2018-007703 // 
            
            
            
            CNNVD: CNNVD-201807-2098 // 
            
            
            
            NVD: CVE-2017-0913

REFERENCES
url:https://community.ubnt.com/t5/ucrm/new-ucrm-upgrades-available-2-8-2-and-2-9-0-beta3/td-p/2211814
Trust: 1.7
url:https://hackerone.com/reports/301406
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-0913
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-0913
Trust: 0.8
sources:
            
            
            VULHUB: VHN-99732 // 
            
            
            
            JVNDB: JVNDB-2018-007703 // 
            
            
            
            CNNVD: CNNVD-201807-2098 // 
            
            
            
            NVD: CVE-2017-0913

SOURCES
db:VULHUBid:VHN-99732
db:JVNDBid:JVNDB-2018-007703
db:CNNVDid:CNNVD-201807-2098
db:NVDid:CVE-2017-0913

LAST UPDATE DATE
2024-11-23T22:06:46.025000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-99732date:2019-10-03T00:00:00
db:JVNDBid:JVNDB-2018-007703date:2018-09-21T00:00:00
db:CNNVDid:CNNVD-201807-2098date:2019-10-23T00:00:00
db:NVDid:CVE-2017-0913date:2024-11-21T03:03:53.117

SOURCES RELEASE DATE
db:VULHUBid:VHN-99732date:2018-07-03T00:00:00
db:JVNDBid:JVNDB-2018-007703date:2018-09-21T00:00:00
db:CNNVDid:CNNVD-201807-2098date:2018-07-04T00:00:00
db:NVDid:CVE-2017-0913date:2018-07-03T21:29:00.247