Multiple vulnerabilities in HPE SiteScope
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2017-8949 CVE-2017-8950 CVE-2017-8951 CVE-2017-8952 |
| CWE-ID | CWE-310 CWE-264 CWE-287 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
HP SiteScope Server applications / Other server solutions |
| Vendor | Hewlett Packard Enterprise Development LP |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Information disclosure
EUVDB-ID: #VU7215
Risk: Low
CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8949
CWE-ID:
CWE-310 - Cryptographic Issues
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to obtain potentially sensitive information.
The weakness exists due to an unspecified cryptographic error. A local attacker can read arbitrary files on the system.
Successful exploitation of the vulnerability results in information disclosure.
Install update from vendor's website.
HP SiteScope: 11.20 - 11.33
External linkshttp://h20566.www2.hpe.com/hpsc/doc/public/display?docId=hpesbgn03763en_us
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU7216
Risk: Low
CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8950
CWE-ID:
CWE-310 - Cryptographic Issues
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to obtain potentially sensitive information.
The weakness exists due to an unspecified cryptographic error. A local attacker can read arbitrary files on the system.
Successful exploitation of the vulnerability results in information disclosure.
Install update from vendor's website.
HP SiteScope: 11.20 - 11.33
External linkshttp://h20566.www2.hpe.com/hpsc/doc/public/display?docId=hpesbgn03763en_us
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Security restrictions bypass
EUVDB-ID: #VU7217
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8951
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to bypass security restrictions on the target system.
The weakness exists due to insufficient privilege controls. A local attacker can bypass security restriction and gain access to the system.
Install update from vendor's website.
HP SiteScope: 11.20 - 11.33
External linkshttp://h20566.www2.hpe.com/hpsc/doc/public/display?docId=hpesbgn03763en_us
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Authentication bypass
EUVDB-ID: #VU7218
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8952
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to improper authentication. A remote attacker can bypass authentication and execute arbitrary code on the system.
Successful exploitation of the vulnerability may result in system compromise.
Install update from vendor's website.
HP SiteScope: 11.20 - 11.33
External linkshttp://h20566.www2.hpe.com/hpsc/doc/public/display?docId=hpesbgn03763en_us
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
