Path traversal in Unified Communications Manager (CallManager) - CVE-2017-6758
Published: August 3, 2017
Vulnerability identifier: #VU7673
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-6758
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Unified Communications Manager (CallManager)
Unified Communications Manager (CallManager)
Detailed vulnerability description
The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.
The weakness exists in the web framework of Cisco Unified Communications Manager due to insufficient input validation. A remote attacker can use directory traversal techniques to read files in the web root directory structure on the Cisco Unified Communications Manager filesystem.
Successful exploitation of the vulnerability results in information disclosure.
The weakness exists in the web framework of Cisco Unified Communications Manager due to insufficient input validation. A remote attacker can use directory traversal techniques to read files in the web root directory structure on the Cisco Unified Communications Manager filesystem.
Successful exploitation of the vulnerability results in information disclosure.
How to mitigate CVE-2017-6758
The vulnerability is addressed in the following versions: UCMAP.12.0(0.98000.339), UCMAP.12.0(0.98000.338), UCMAP.11.6(2.10000.6), CUP.12.0(0.98000.1002), CUP.12.0(0.98000.1000), CUP.11.5(1.13900.42), CUC.12.0(0.97000.263.), CCM.12.0(0.98000.767), CCM.12.0(0.98000.765), CCM.11.5(1.13900.38).