cnvd - cnvd-2017-35396

cnvd-2017-35396

Vulnerability from cnvd

Title: 多款EMC产品Webservice Gateway目录遍历漏洞

Description:

EMC ViPR SRM等都是美国易安信（EMC）公司的产品。EMC ViPR SRM是一套存储资源管理软件。Storage M&R是一款数据存储收集器。Webservice Gateway是其中的一个网关。

多款EMC产品中的Webservice Gateway存在目录遍历漏洞。远程攻击者可通过发送带有目录遍历序列‘../’的请求利用该漏洞未授权访问信息，更改或删除数据。

Severity: 中

Patch Name: 多款EMC产品Webservice Gateway目录遍历漏洞的补丁

Patch Description:

EMC ViPR SRM等都是美国易安信（EMC）公司的产品。EMC ViPR SRM是一套存储资源管理软件。Storage M&R是一款数据存储收集器。Webservice Gateway是其中的一个网关。

多款EMC产品中的Webservice Gateway存在目录遍历漏洞。远程攻击者可通过发送带有目录遍历序列‘../’的请求利用该漏洞未授权访问信息，更改或删除数据。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级补丁以修复漏洞，详情请关注厂商主页： http://www.emc.com/

Reference: http://seclists.org/fulldisclosure/2017/Sep/51 http://www.securityfocus.com/bid/100957

Impacted products

Name
['EMC ViPR SRM', 'EMC M&R (Watch4Net) for SAS Solution Packs', 'EMC Storage M&R', 'EMC VNX M&R']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "100957"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-8007"
    }
  },
  "description": "EMC ViPR SRM\u7b49\u90fd\u662f\u7f8e\u56fd\u6613\u5b89\u4fe1\uff08EMC\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002EMC ViPR SRM\u662f\u4e00\u5957\u5b58\u50a8\u8d44\u6e90\u7ba1\u7406\u8f6f\u4ef6\u3002Storage M\u0026R\u662f\u4e00\u6b3e\u6570\u636e\u5b58\u50a8\u6536\u96c6\u5668\u3002Webservice Gateway\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u7f51\u5173\u3002\r\n\r\n\u591a\u6b3eEMC\u4ea7\u54c1\u4e2d\u7684Webservice Gateway\u5b58\u5728\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u53d1\u9001\u5e26\u6709\u76ee\u5f55\u904d\u5386\u5e8f\u5217\u2018../\u2019\u7684\u8bf7\u6c42\u5229\u7528\u8be5\u6f0f\u6d1e\u672a\u6388\u6743\u8bbf\u95ee\u4fe1\u606f\uff0c\u66f4\u6539\u6216\u5220\u9664\u6570\u636e\u3002",
  "discovererName": "rgod working with Trend Micro\u0027s Zero Day Initiative",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttp://www.emc.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-35396",
  "openTime": "2017-11-29",
  "patchDescription": "EMC ViPR SRM\u7b49\u90fd\u662f\u7f8e\u56fd\u6613\u5b89\u4fe1\uff08EMC\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002EMC ViPR SRM\u662f\u4e00\u5957\u5b58\u50a8\u8d44\u6e90\u7ba1\u7406\u8f6f\u4ef6\u3002Storage M\u0026R\u662f\u4e00\u6b3e\u6570\u636e\u5b58\u50a8\u6536\u96c6\u5668\u3002Webservice Gateway\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u7f51\u5173\u3002\r\n\r\n\u591a\u6b3eEMC\u4ea7\u54c1\u4e2d\u7684Webservice Gateway\u5b58\u5728\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u53d1\u9001\u5e26\u6709\u76ee\u5f55\u904d\u5386\u5e8f\u5217\u2018../\u2019\u7684\u8bf7\u6c42\u5229\u7528\u8be5\u6f0f\u6d1e\u672a\u6388\u6743\u8bbf\u95ee\u4fe1\u606f\uff0c\u66f4\u6539\u6216\u5220\u9664\u6570\u636e\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "\u591a\u6b3eEMC\u4ea7\u54c1Webservice Gateway\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "EMC ViPR SRM",
      "EMC M\u0026R (Watch4Net) for SAS Solution Packs",
      "EMC Storage M\u0026R",
      "EMC VNX M\u0026R"
    ]
  },
  "referenceLink": "http://seclists.org/fulldisclosure/2017/Sep/51\r\nhttp://www.securityfocus.com/bid/100957",
  "serverity": "\u4e2d",
  "submitTime": "2017-09-22",
  "title": "\u591a\u6b3eEMC\u4ea7\u54c1Webservice Gateway\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e"
}

CVE-2017-8007 (GCVE-0-2017-8007)

Vulnerability from cvelistv5

Published

2017-09-22 01:00

Modified

2024-08-05 16:19

Severity ?

CWE

Directory Traversal

Summary

In EMC ViPR SRM, Storage M&R, VNX M&R, and M&R (Watch4Net) for SAS Solution Packs, the Webservice Gateway is affected by a directory traversal vulnerability. Attackers with knowledge of Webservice Gateway credentials could potentially exploit this vulnerability to access unauthorized information, and modify or delete data, by supplying specially crafted strings in input parameters of the web service call.

References

▼	URL	Tags
	http://www.securityfocus.com/bid/100957	vdb-entry, x_refsource_BID
	http://www.securitytracker.com/id/1039418	vdb-entry, x_refsource_SECTRACK
	http://seclists.org/fulldisclosure/2017/Sep/51	x_refsource_CONFIRM
	http://www.securitytracker.com/id/1039417	vdb-entry, x_refsource_SECTRACK

Impacted products

	Vendor	Product	Version
	n/a	EMC ViPR SRM, EMC Storage M&R, EMC VNX M&R, EMC M&R (Watch4Net) for SAS Solution Packs	Version: EMC ViPR SRM, EMC Storage M&R, EMC VNX M&R, EMC M&R (Watch4Net) for SAS Solution Packs

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T16:19:29.489Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "100957",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/100957"
          },
          {
            "name": "1039418",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1039418"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2017/Sep/51"
          },
          {
            "name": "1039417",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1039417"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "EMC ViPR SRM, EMC Storage M\u0026R, EMC VNX M\u0026R, EMC M\u0026R (Watch4Net) for SAS Solution Packs",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "EMC ViPR SRM, EMC Storage M\u0026R, EMC VNX M\u0026R, EMC M\u0026R (Watch4Net) for SAS Solution Packs"
            }
          ]
        }
      ],
      "datePublic": "2017-09-21T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "In EMC ViPR SRM, Storage M\u0026R, VNX M\u0026R, and M\u0026R (Watch4Net) for SAS Solution Packs, the Webservice Gateway is affected by a directory traversal vulnerability. Attackers with knowledge of Webservice Gateway credentials could potentially exploit this vulnerability to access unauthorized information, and modify or delete data, by supplying specially crafted strings in input parameters of the web service call."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Directory Traversal",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-09-23T09:57:01",
        "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "shortName": "dell"
      },
      "references": [
        {
          "name": "100957",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/100957"
        },
        {
          "name": "1039418",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1039418"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://seclists.org/fulldisclosure/2017/Sep/51"
        },
        {
          "name": "1039417",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1039417"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security_alert@emc.com",
          "ID": "CVE-2017-8007",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "EMC ViPR SRM, EMC Storage M\u0026R, EMC VNX M\u0026R, EMC M\u0026R (Watch4Net) for SAS Solution Packs",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "EMC ViPR SRM, EMC Storage M\u0026R, EMC VNX M\u0026R, EMC M\u0026R (Watch4Net) for SAS Solution Packs"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In EMC ViPR SRM, Storage M\u0026R, VNX M\u0026R, and M\u0026R (Watch4Net) for SAS Solution Packs, the Webservice Gateway is affected by a directory traversal vulnerability. Attackers with knowledge of Webservice Gateway credentials could potentially exploit this vulnerability to access unauthorized information, and modify or delete data, by supplying specially crafted strings in input parameters of the web service call."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Directory Traversal"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "100957",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/100957"
            },
            {
              "name": "1039418",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1039418"
            },
            {
              "name": "http://seclists.org/fulldisclosure/2017/Sep/51",
              "refsource": "CONFIRM",
              "url": "http://seclists.org/fulldisclosure/2017/Sep/51"
            },
            {
              "name": "1039417",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1039417"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
    "assignerShortName": "dell",
    "cveId": "CVE-2017-8007",
    "datePublished": "2017-09-22T01:00:00",
    "dateReserved": "2017-04-21T00:00:00",
    "dateUpdated": "2024-08-05T16:19:29.489Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted