CVE-2017-9279

NetIQ Identity Manager before 4.5.6.1 allowed uploading files with double extensions or non-image content in the Themes handling of the User Application Administration, allowing malicious user administrators to potentially execute code or mislead users.

CVSS v3 2.0 LOW
CVSS v2.0 9.0 HIGH

2.0^/10

CVSS v3 : LOW

Vector : AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

Exploitability : 0.6 / Impact : 1.4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

9.0^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:S/C:C/I:C/A:C

Exploitability : 8.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://bugzilla.suse.com/show_bug.cgi?id=1049129
https://download.novell.com/Download?buildid=K7lbPAGJyIk~
https://bugzilla.suse.com/show_bug.cgi?id=1049129
https://download.novell.com/Download?buildid=K7lbPAGJyIk~

Configurations

Configuration 1 (hide)

cpe:2.3:a:netiq:identity_manager:*:*:*:*:*:*:*:*

History

21 Nov 2024, 03:35

Type	Values Removed	Values Added
References	~~() https://bugzilla.suse.com/show_bug.cgi?id=1049129 -~~	() https://bugzilla.suse.com/show_bug.cgi?id=1049129 -
References	~~() https://download.novell.com/Download?buildid=K7lbPAGJyIk~ -~~	() https://download.novell.com/Download?buildid=K7lbPAGJyIk~ -
CVSS	v2 : ~~9.0~~ v3 : ~~7.2~~	v2 : 9.0 v3 : 2.0

07 Nov 2023, 02:50

Type	Values Removed	Values Added
References	~~(CONFIRM) https://download.novell.com/Download?buildid=K7lbPAGJyIk~ - Vendor Advisory~~	() https://download.novell.com/Download?buildid=K7lbPAGJyIk~ -
References	~~(CONFIRM) https://bugzilla.suse.com/show_bug.cgi?id=1049129 - Issue Tracking, Permissions Required, Third Party Advisory~~	() https://bugzilla.suse.com/show_bug.cgi?id=1049129 -

Information

Published : 2018-03-02 20:29

Updated : 2024-11-21 03:35

NVD link : CVE-2017-9279

Mitre link : CVE-2017-9279

CVE.ORG link : CVE-2017-9279

JSON object : View

Products Affected

netiq

identity_manager

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

CWE-20

Improper Input Validation

{"id": "CVE-2017-9279", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 9.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "authentication": "SINGLE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": true, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Secondary", "source": "security@opentext.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 2.0, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 0.6}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2018-03-02T20:29:00.910", "references": [{"url": "https://bugzilla.suse.com/show_bug.cgi?id=1049129", "source": "security@opentext.com"}, {"url": "https://download.novell.com/Download?buildid=K7lbPAGJyIk~", "source": "security@opentext.com"}, {"url": "https://bugzilla.suse.com/show_bug.cgi?id=1049129", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://download.novell.com/Download?buildid=K7lbPAGJyIk~", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security@opentext.com", "description": [{"lang": "en", "value": "CWE-434"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "NetIQ Identity Manager before 4.5.6.1 allowed uploading files with double extensions or non-image content in the Themes handling of the User Application Administration, allowing malicious user administrators to potentially execute code or mislead users."}, {"lang": "es", "value": "NetIQ Identity Manager, en versiones anteriores a la 4.5.6.1, permit\u00eda la subida de archivos con doble extensi\u00f3n o contenido sin im\u00e1genes en la manipulaci\u00f3n de temas de User Application Administration. Esto permit\u00eda que usuarios administradores maliciosos ejecutasen c\u00f3digo o confundiesen a los usuarios."}], "lastModified": "2024-11-21T03:35:44.793", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:netiq:identity_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B66D9825-C8A9-45E2-B932-BA2444FCA62E", "versionEndExcluding": "4.5.6.1"}], "operator": "OR"}]}], "sourceIdentifier": "security@opentext.com"}