Input validation error in Spiceworks - CVE-2017-7237
Published: April 6, 2017 / Updated: August 9, 2020
Vulnerability identifier: #VU39269
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
CVE-ID: CVE-2017-7237
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: Spiceworks Inc.
Affected software:
Spiceworks
Spiceworks
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The Spiceworks TFTP Server, as distributed with Spiceworks Inventory 7.5, allows remote attackers to access the Spiceworks dataconfigurations directory by leveraging the unauthenticated nature of the TFTP service for all clients who can reach UDP port 69, as demonstrated by a WRQ (aka Write request) operation for a configuration file or an executable file.
How to mitigate CVE-2017-7237
Install update from vendor's website.