cnvd - cnvd-2018-05558

cnvd-2018-05558

Vulnerability from cnvd

Title: Flexense SyncBreeze Enterprise缓冲区溢出漏洞

Description:

Flexense SyncBreeze Enterprise是加拿大Flexense公司的一套文件同步工具。该工具具有文件管理和数据同步等功能。

Flexense SyncBreeze Enterprise 10.3.14及之前版本中的Add command功能存在缓冲区溢出漏洞。攻击者可通过提交长度大于5000字符串的命令名称利用该漏洞造成SyncBreeze Enterprise服务器中断并可能以SYSTEM权限执行命令。

Severity: 高

Formal description:

目前没有详细的解决方案提供： http://www.syncbreeze.com/

Reference: http://seclists.org/fulldisclosure/2018/Feb/10

Impacted products

Name
Flexense SyncBreeze Enterprise <=10.3.14

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-17996",
      "cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17996"
    }
  },
  "description": "Flexense SyncBreeze Enterprise\u662f\u52a0\u62ff\u5927Flexense\u516c\u53f8\u7684\u4e00\u5957\u6587\u4ef6\u540c\u6b65\u5de5\u5177\u3002\u8be5\u5de5\u5177\u5177\u6709\u6587\u4ef6\u7ba1\u7406\u548c\u6570\u636e\u540c\u6b65\u7b49\u529f\u80fd\u3002\r\n\r\nFlexense SyncBreeze Enterprise 10.3.14\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u7684Add command\u529f\u80fd\u5b58\u5728\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u63d0\u4ea4\u957f\u5ea6\u5927\u4e8e5000\u5b57\u7b26\u4e32\u7684\u547d\u4ee4\u540d\u79f0\u5229\u7528\u8be5\u6f0f\u6d1e\u9020\u6210SyncBreeze Enterprise\u670d\u52a1\u5668\u4e2d\u65ad\u5e76\u53ef\u80fd\u4ee5SYSTEM\u6743\u9650\u6267\u884c\u547d\u4ee4\u3002",
  "discovererName": "@ryantzj",
  "formalWay": "\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u89e3\u51b3\u65b9\u6848\u63d0\u4f9b\uff1a\r\nhttp://www.syncbreeze.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-05558",
  "openTime": "2018-03-19",
  "products": {
    "product": "Flexense SyncBreeze Enterprise \u003c=10.3.14"
  },
  "referenceLink": "http://seclists.org/fulldisclosure/2018/Feb/10",
  "serverity": "\u9ad8",
  "submitTime": "2018-02-08",
  "title": "Flexense SyncBreeze Enterprise\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e"
}

CVE-2017-17996 (GCVE-0-2017-17996)

Vulnerability from cvelistv5

Published

2018-02-06 16:00

Modified

2024-08-05 21:06

Severity ?

CWE

Summary

A buffer overflow vulnerability in "Add command" functionality exists in Flexense SyncBreeze Enterprise <= 10.3.14. The vulnerability can be triggered by an authenticated attacker who submits more than 5000 characters as the command name. It will cause termination of the SyncBreeze Enterprise server and possibly remote command execution with SYSTEM privilege.

References

▼	URL	Tags
	http://seclists.org/fulldisclosure/2018/Feb/10	mailing-list, x_refsource_FULLDISC
	http://www.ryantzj.com/flexense-syncbreeze-entreprise-10314-buffer-overflow-seh-bypass.html	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T21:06:49.950Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "20180202 Flexense SyncBreeze Entreprise 10.3.14 Buffer Overflow (SEH-bypass)",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2018/Feb/10"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.ryantzj.com/flexense-syncbreeze-entreprise-10314-buffer-overflow-seh-bypass.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2018-01-31T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A buffer overflow vulnerability in \"Add command\" functionality exists in Flexense SyncBreeze Enterprise \u003c= 10.3.14. The vulnerability can be triggered by an authenticated attacker who submits more than 5000 characters as the command name. It will cause termination of the SyncBreeze Enterprise server and possibly remote command execution with SYSTEM privilege."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-02-06T15:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "20180202 Flexense SyncBreeze Entreprise 10.3.14 Buffer Overflow (SEH-bypass)",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2018/Feb/10"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.ryantzj.com/flexense-syncbreeze-entreprise-10314-buffer-overflow-seh-bypass.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2017-17996",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A buffer overflow vulnerability in \"Add command\" functionality exists in Flexense SyncBreeze Enterprise \u003c= 10.3.14. The vulnerability can be triggered by an authenticated attacker who submits more than 5000 characters as the command name. It will cause termination of the SyncBreeze Enterprise server and possibly remote command execution with SYSTEM privilege."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "20180202 Flexense SyncBreeze Entreprise 10.3.14 Buffer Overflow (SEH-bypass)",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2018/Feb/10"
            },
            {
              "name": "http://www.ryantzj.com/flexense-syncbreeze-entreprise-10314-buffer-overflow-seh-bypass.html",
              "refsource": "MISC",
              "url": "http://www.ryantzj.com/flexense-syncbreeze-entreprise-10314-buffer-overflow-seh-bypass.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2017-17996",
    "datePublished": "2018-02-06T16:00:00",
    "dateReserved": "2017-12-29T00:00:00",
    "dateUpdated": "2024-08-05T21:06:49.950Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted