Bird_banner_small4
Cisco License Manager Server ReportCSV Directory Traversal
TSL ID TSL20171005-01
CVE ID(s) CVE-2017-12263
Severity High
Description

An information disclosure vulnerability has been reported in Cisco License Manager Server. The vulnerability is due to insufficient validation on user supplied paths when a request is sent to ReportCSV servlet.

A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted request to the target system. Successful exploitation results in the disclosure of the contents of arbitrary files from the target system.

The vendor, Cisco, has released the following advisory regarding this vulnerability:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-clm

Affected Products
  • Cisco Systems License Manager .
CVSS Score Base 7.8 (AV:N/AC:L/Au:N/C:C/I:N/A:N):
  • Access vector is NETWORK
  • Access complexity is LOW
  • Level of authentication required is NONE
  • Impact of this vulnerability on data confidentiality is COMPLETE
  • Impact of this vulnerability on data integrity is NONE
  • Impact of this vulnerability on data availability is NONE
Temporal 6.6 (E:U/RL:U/RC:C):
  • The exploitability level of this vulnerability is UNPROVEN
  • The remediation level of this vulnerability is UNAVAILABLE
  • The report confidence level of this vulnerability is CONFIRMED
Identifiers
ZDI
References https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-clm
Related Threats