CVE-2017-12250

A vulnerability in the HTTP web interface for Cisco Wide Area Application Services (WAAS) could allow an unauthenticated, remote attacker to cause an HTTP Application Optimization (AO) related process to restart, causing a partial denial of service (DoS) condition. The vulnerability is due to lack of input validation of user-supplied input parameters within an HTTP request. An attacker could exploit this vulnerability by sending a crafted HTTP request through the targeted device. An exploit could allow the attacker to cause a DoS condition due to a process unexpectedly restarting. The WAAS could drop traffic during the brief time the process is restarting. Cisco Bug IDs: CSCvc63048.

CVSS v3 5.3 MEDIUM
CVSS v2.0 5.0 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:N/I:N/A:P

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
http://www.securityfocus.com/bid/100928	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1039415	Third Party Advisory VDB Entry
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170920-waas	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:cisco:wide_area_application_services:6.2\(3a\):*:*:*:*:*:*:*

History

No history.

Information

Published : 2017-09-21 05:29

Updated : 2024-02-28 16:04

NVD link : CVE-2017-12250

Mitre link : CVE-2017-12250

CVE.ORG link : CVE-2017-12250

JSON object : View

Products Affected

cisco

wide_area_application_services

CWE

CWE-20

Improper Input Validation

CWE-399

Resource Management Errors

{"id": "CVE-2017-12250", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2017-09-21T05:29:00.387", "references": [{"url": "http://www.securityfocus.com/bid/100928", "tags": ["Third Party Advisory", "VDB Entry"], "source": "ykramarz@cisco.com"}, {"url": "http://www.securitytracker.com/id/1039415", "tags": ["Third Party Advisory", "VDB Entry"], "source": "ykramarz@cisco.com"}, {"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170920-waas", "tags": ["Vendor Advisory"], "source": "ykramarz@cisco.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}, {"type": "Secondary", "source": "ykramarz@cisco.com", "description": [{"lang": "en", "value": "CWE-399"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the HTTP web interface for Cisco Wide Area Application Services (WAAS) could allow an unauthenticated, remote attacker to cause an HTTP Application Optimization (AO) related process to restart, causing a partial denial of service (DoS) condition. The vulnerability is due to lack of input validation of user-supplied input parameters within an HTTP request. An attacker could exploit this vulnerability by sending a crafted HTTP request through the targeted device. An exploit could allow the attacker to cause a DoS condition due to a process unexpectedly restarting. The WAAS could drop traffic during the brief time the process is restarting. Cisco Bug IDs: CSCvc63048."}, {"lang": "es", "value": "Una vulnerabilidad en la interfaz web HTTP para Cisco Wide Area Application Services (WAAS) podr\u00eda permitir a un atacante remoto no autenticado provocar que un proceso HTTP relacionado con la optimizaci\u00f3n de aplicaciones se reinicie, provocando una denegaci\u00f3n de servicio parcial. Esta vulnerabilidad se debe a la falta de validaci\u00f3n de entrada de par\u00e1metros de entrada proporcionados por el usuario en una petici\u00f3n HTTP. Un atacante podr\u00eda explotar esta vulnerabilidad mediante el env\u00edo de una petici\u00f3n HTTP manipulada al dispositivo objetivo. Su explotaci\u00f3n podr\u00eda permitir a un atacante provocar una denegaci\u00f3n de servicio por el reinicio inesperado de un proceso. WAAS podr\u00eda tener una ca\u00edda de tr\u00e1fico durante el breve per\u00edodo de tiempo en el que se reinicia el proceso. Cisco Bug IDs: CSCvc63048."}], "lastModified": "2019-10-09T23:22:44.997", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cisco:wide_area_application_services:6.2\\(3a\\):*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3C1C2B85-1129-49EA-9414-F44B7A911D84"}], "operator": "OR"}]}], "sourceIdentifier": "ykramarz@cisco.com"}