Vulnerability identifier: #VU8242
Vulnerability risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-126
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
RealPresence Trio
Hardware solutions /
Firmware
VVX
Hardware solutions /
Firmware
SoundStation IP
Hardware solutions /
Firmware
Vendor: Polycom, Inc.
Description
The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information.
The weakness exists due to buffer over-read. A remote attacker can upload a specially crafted file containing null characters and obtain potentially sensitive information from uninitialized system memory.
Successful exploitation of the vulnerability results in information disclosure.
Mitigation
The vulnerability is addressed in the following version: UCS 4.0.12, 5.6.0, 5.5.2, 5.4.7, 5.4.5.
Vulnerable software versions
RealPresence Trio: All versions
VVX: All versions
SoundStation IP: All versions
External links
http://support.polycom.com/content/dam/polycom-support/global/documentation/securityadvisory-informa...
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.