CVE-2017-6754

{"id": "CVE-2017-6754", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2017-08-07T06:29:00.417", "references": [{"url": "http://www.securityfocus.com/bid/100126", "tags": ["Third Party Advisory", "VDB Entry"], "source": "ykramarz@cisco.com"}, {"url": "https://quickview.cloudapps.cisco.com/quickview/bug/CSCvf07617", "tags": ["Vendor Advisory"], "source": "ykramarz@cisco.com"}, {"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170802-sntc", "tags": ["Vendor Advisory"], "source": "ykramarz@cisco.com"}, {"url": "http://www.securityfocus.com/bid/100126", "tags": ["Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://quickview.cloudapps.cisco.com/quickview/bug/CSCvf07617", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170802-sntc", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "ykramarz@cisco.com", "description": [{"lang": "en", "value": "CWE-89"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the web-based management interface of the Cisco Smart Net Total Care (SNTC) Software Collector Appliance 3.11 could allow an authenticated, remote attacker to perform a read-only, blind SQL injection attack, which could allow the attacker to compromise the confidentiality of the system through SQL timing attacks. The vulnerability is due to insufficient input validation of certain user-supplied fields that are subsequently used by the affected software to build SQL queries. An attacker could exploit this vulnerability by submitting crafted URLs, which are designed to exploit the vulnerability, to the affected software. To execute an attack successfully, the attacker would need to submit a number of requests to the affected software. A successful exploit could allow the attacker to determine the presence of values in the SQL database of the affected software. Cisco Bug IDs: CSCvf07617."}, {"lang": "es", "value": "Una vulnerabilidad en la interfaz de gesti\u00f3n basada en web de Cisco Smart Net Total Care (SNTC) Software Collector Appliance 3.11 podr\u00eda permitir que un atacante remoto autenticado realice un ataque ciego de s\u00f3lo lectura de inyecci\u00f3n SQL, lo que har\u00eda que este comprometiese la confidencialidad del sistema mediante ataques SQL basados en tiempo. La vulnerabilidad se debe a que no se validan lo suficiente los campos de entrada de datos de usuario que son, posteriormente, empleados por el software afectado para realizar consultas SQL. Un atacante podr\u00eda explotar esta vulnerabilidad enviando al software afectado URL manipuladas dise\u00f1adas para este fin. Para llevar a cabo este ataque de forma exitosa, el atacante necesitar\u00eda enviar una serie de peticiones al software afectado. Si se realiza correctamente, esta vulnerabilidad podr\u00eda permitir que el atacante determine la presencia de valores en la base de datos SQL del software afectado. Cisco Bug IDs: CSCvf07617."}], "lastModified": "2024-11-21T03:30:27.253", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cisco:smart_net_total_care_collector_appliance:3.11:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "07DA489C-B051-45DB-B068-96E09B7E57BF"}], "operator": "OR"}]}], "sourceIdentifier": "ykramarz@cisco.com"}