CVE-2017-7237 - The Spiceworks TFTP Server, as distributed with Spiceworks Inventory 7.5, allows remote attackers to

CVE-2017-7237

Summary

The Spiceworks TFTP Server, as distributed with Spiceworks Inventory 7.5, allows remote attackers to access the Spiceworks data\configurations directory by leveraging the unauthenticated nature of the TFTP service for all clients who can reach UDP port 69, as demonstrated by a WRQ (aka Write request) operation for a configuration file or an executable file.

References

Vulnerable Configurations

cpe:2.3:a:spiceworks:spiceworks:7.5:*:*:*:*:*:*:*
cpe:2.3:a:spiceworks:spiceworks:7.5:*:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 03-10-2019 - 00:03)
Impact:
Exploitability:

CWE

NVD-CWE-noinfo

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

refmap via4

exploit-db	41825
misc	http://hyp3rlinx.altervista.org/advisories/SPICEWORKS-IMPROPER-ACCESS-CONTROL-FILE-OVERWRITE.txt https://community.spiceworks.com/support/inventory/docs/network-config#security

Last major update

03-10-2019 - 00:03

Published

06-04-2017 - 15:59

Last modified

03-10-2019 - 00:03