#VU39269 Input validation error in Spiceworks - CVE-2017-7237
Published: April 6, 2017 / Updated: August 9, 2020
Vulnerability identifier: #VU39269
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
CVE-ID: CVE-2017-7237
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
Spiceworks
Spiceworks
Software vendor:
Spiceworks Inc.
Spiceworks Inc.
Description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The Spiceworks TFTP Server, as distributed with Spiceworks Inventory 7.5, allows remote attackers to access the Spiceworks dataconfigurations directory by leveraging the unauthenticated nature of the TFTP service for all clients who can reach UDP port 69, as demonstrated by a WRQ (aka Write request) operation for a configuration file or an executable file.
Remediation
Install update from vendor's website.