Improper input validation in Cisco Ultra Services Framework - CVE-2017-6708
Published: July 6, 2017
Vulnerability identifier: #VU7343
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2017-6708
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Cisco Ultra Services Framework
Cisco Ultra Services Framework
Detailed vulnerability description
The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information or execute arbitrary code.
The vulnerability exists in the symbolic link (symlink) creation functionality of the AutoVNF tool for the Cisco Ultra Services Framework due to improper input validation. A remote attacker can supply specially crafted data used to create symbolic links and read any sensitive file or execute malicious code on an affected system.
Successful exploitation of the vulnerability may result in system compromise.
The vulnerability exists in the symbolic link (symlink) creation functionality of the AutoVNF tool for the Cisco Ultra Services Framework due to improper input validation. A remote attacker can supply specially crafted data used to create symbolic links and read any sensitive file or execute malicious code on an affected system.
Successful exploitation of the vulnerability may result in system compromise.
How to mitigate CVE-2017-6708
The vulnerability is addressed in the following versions:
5.0.3, 5.1.
5.0.3, 5.1.