SB2017100516 - Information disclosure in Cisco License Manager
Published: October 5, 2017
Security Bulletin ID
SB2017100516
CSH Severity
Low
Patch available
NO
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Directory traversal (CVE-ID: CVE-2017-12263)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists in the web interface of Cisco License Manager software due to improper sanitization of user-supplied input in HTTP request parameters that describe filenames. A remote attacker can use directory traversal techniques to submit a path to a desired file location and view application files which may contain sensitive information.
Successful exploitation of the vulnerability results in information disclosure.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.