var-201705-3745
Vulnerability from variot
An Absolute Path Traversal issue was discovered in Advantech WebAccess Version 8.1 and prior. The absolute path traversal vulnerability has been identified, which may allow an attacker to traverse the file system to access restricted files or directories. Advantech WebAccess Contains a path traversal vulnerability.Information is obtained and service operation is interrupted (DoS) There is a possibility of being put into a state. This vulnerability allows remote attackers to cause a denial of service condition on vulnerable installations of Advantech WebAccess. Authentication is required to exploit this vulnerability.The specific flaw exists within odbcPg4.asp. An attacker can leverage this vulnerability to overwrite key web files which will disable functionality on the target machine. Advantech WebAccess is a suite of browser-based HMI/SCADA software from Advantech. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. A directory traversal vulnerability exists in Advantech WebAccess due to the application's failure to adequately filter user-supplied input. A remote attacker exploited the vulnerability to retrieve sensitive information and execute arbitrary code through a specially crafted request with a directory traversal sequence ('../'). This may aid in further attacks. Advantech WebAccess version 8.1 and prior are vulnerable
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-201705-3745", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "webaccess", "scope": "lte", "trust": 1.8, "vendor": "advantech", "version": "8.1" }, { "model": "webaccess", "scope": "eq", "trust": 0.9, "vendor": "advantech", "version": "8.1" }, { "model": "webaccess", "scope": null, "trust": 0.7, "vendor": "advantech", "version": null }, { "model": "webaccess", "scope": "lte", "trust": 0.6, "vendor": "advantech", "version": "\u003c=8.1" }, { "model": "webaccess 8.0 20150816", "scope": null, "trust": 0.3, "vendor": "advantech", "version": null }, { "model": "webaccess", "scope": "eq", "trust": 0.3, "vendor": "advantech", "version": "8" }, { "model": "webaccess", "scope": "eq", "trust": 0.3, "vendor": "advantech", "version": "7.2" }, { "model": "webaccess 8.2 20170330", "scope": "ne", "trust": 0.3, "vendor": "advantech", "version": null }, { "model": null, "scope": "eq", "trust": 0.2, "vendor": "webaccess", "version": "*" } ], "sources": [ { "db": "IVD", "id": "72b8f504-9faf-4e5e-9287-87f7cb248c3e" }, { "db": "ZDI", "id": "ZDI-17-322" }, { "db": "CNVD", "id": "CNVD-2017-06980" }, { "db": "BID", "id": "98311" }, { "db": "JVNDB", "id": "JVNDB-2017-003931" }, { "db": "CNNVD", "id": "CNNVD-201704-931" }, { "db": "NVD", "id": "CVE-2017-7929" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "cpe_match": [ { "cpe22Uri": "cpe:/a:advantech:advantech_webaccess", "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2017-003931" } ] }, "credits": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Zhou Yu", "sources": [ { "db": "ZDI", "id": "ZDI-17-322" } ], "trust": 0.7 }, "cve": "CVE-2017-7929", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "author": "nvd@nist.gov", "availabilityImpact": "PARTIAL", "baseScore": 5.5, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 8.0, "id": "CVE-2017-7929", "impactScore": 4.9, "integrityImpact": "NONE", "severity": "MEDIUM", "trust": 1.8, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:P", "version": "2.0" }, { "acInsufInfo": null, "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "author": "ZDI", "availabilityImpact": "COMPLETE", "baseScore": 6.8, "confidentialityImpact": "NONE", "exploitabilityScore": 8.0, "id": "CVE-2017-7929", "impactScore": 6.9, "integrityImpact": "NONE", "obtainAllPrivilege": null, "obtainOtherPrivilege": null, "obtainUserPrivilege": null, "severity": "MEDIUM", "trust": 0.7, "userInteractionRequired": null, "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:C", "version": "2.0" }, { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "author": "CNVD", "availabilityImpact": "PARTIAL", "baseScore": 5.5, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 8.0, "id": "CNVD-2017-06980", "impactScore": 4.9, "integrityImpact": "NONE", "severity": "MEDIUM", "trust": 0.6, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:P", "version": "2.0" }, { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "author": "IVD", "availabilityImpact": "PARTIAL", "baseScore": 5.5, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 8.0, "id": "72b8f504-9faf-4e5e-9287-87f7cb248c3e", "impactScore": 4.9, "integrityImpact": "NONE", "severity": "MEDIUM", "trust": 0.2, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:P", "version": "2.9 [IVD]" }, { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "author": "VULHUB", "availabilityImpact": "PARTIAL", "baseScore": 5.5, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 8.0, "id": "VHN-116132", "impactScore": 4.9, "integrityImpact": "NONE", "severity": "MEDIUM", "trust": 0.1, "vectorString": "AV:N/AC:L/AU:S/C:P/I:N/A:P", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "nvd@nist.gov", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "exploitabilityScore": 2.8, "id": "CVE-2017-7929", "impactScore": 4.2, "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "trust": 1.8, "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H", "version": "3.0" } ], "severity": [ { "author": "nvd@nist.gov", "id": "CVE-2017-7929", "trust": 1.0, "value": "HIGH" }, { "author": "NVD", "id": "CVE-2017-7929", "trust": 0.8, "value": "High" }, { "author": "ZDI", "id": "CVE-2017-7929", "trust": 0.7, "value": "MEDIUM" }, { "author": "CNVD", "id": "CNVD-2017-06980", "trust": 0.6, "value": "MEDIUM" }, { "author": "CNNVD", "id": "CNNVD-201704-931", "trust": 0.6, "value": "HIGH" }, { "author": "IVD", "id": "72b8f504-9faf-4e5e-9287-87f7cb248c3e", "trust": 0.2, "value": "HIGH" }, { "author": "VULHUB", "id": "VHN-116132", "trust": 0.1, "value": "MEDIUM" } ] } ], "sources": [ { "db": "IVD", "id": "72b8f504-9faf-4e5e-9287-87f7cb248c3e" }, { "db": "ZDI", "id": "ZDI-17-322" }, { "db": "CNVD", "id": "CNVD-2017-06980" }, { "db": "VULHUB", "id": "VHN-116132" }, { "db": "JVNDB", "id": "JVNDB-2017-003931" }, { "db": "CNNVD", "id": "CNNVD-201704-931" }, { "db": "NVD", "id": "CVE-2017-7929" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "An Absolute Path Traversal issue was discovered in Advantech WebAccess Version 8.1 and prior. The absolute path traversal vulnerability has been identified, which may allow an attacker to traverse the file system to access restricted files or directories. Advantech WebAccess Contains a path traversal vulnerability.Information is obtained and service operation is interrupted (DoS) There is a possibility of being put into a state. This vulnerability allows remote attackers to cause a denial of service condition on vulnerable installations of Advantech WebAccess. Authentication is required to exploit this vulnerability.The specific flaw exists within odbcPg4.asp. An attacker can leverage this vulnerability to overwrite key web files which will disable functionality on the target machine. Advantech WebAccess is a suite of browser-based HMI/SCADA software from Advantech. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. A directory traversal vulnerability exists in Advantech WebAccess due to the application\u0027s failure to adequately filter user-supplied input. A remote attacker exploited the vulnerability to retrieve sensitive information and execute arbitrary code through a specially crafted request with a directory traversal sequence (\u0027../\u0027). This may aid in further attacks. \nAdvantech WebAccess version 8.1 and prior are vulnerable", "sources": [ { "db": "NVD", "id": "CVE-2017-7929" }, { "db": "JVNDB", "id": "JVNDB-2017-003931" }, { "db": "ZDI", "id": "ZDI-17-322" }, { "db": "CNVD", "id": "CNVD-2017-06980" }, { "db": "BID", "id": "98311" }, { "db": "IVD", "id": "72b8f504-9faf-4e5e-9287-87f7cb248c3e" }, { "db": "VULHUB", "id": "VHN-116132" } ], "trust": 3.33 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2017-7929", "trust": 4.3 }, { "db": "ICS CERT", "id": "ICSA-17-124-03", "trust": 2.8 }, { "db": "BID", "id": "98311", "trust": 2.6 }, { "db": "CNNVD", "id": "CNNVD-201704-931", "trust": 0.9 }, { "db": "CNVD", "id": "CNVD-2017-06980", "trust": 0.8 }, { "db": "JVNDB", "id": "JVNDB-2017-003931", "trust": 0.8 }, { "db": "ZDI_CAN", "id": "ZDI-CAN-4013", "trust": 0.7 }, { "db": "ZDI", "id": "ZDI-17-322", "trust": 0.7 }, { "db": "IVD", "id": "72B8F504-9FAF-4E5E-9287-87F7CB248C3E", "trust": 0.2 }, { "db": "VULHUB", "id": "VHN-116132", "trust": 0.1 } ], "sources": [ { "db": "IVD", "id": "72b8f504-9faf-4e5e-9287-87f7cb248c3e" }, { "db": "ZDI", "id": "ZDI-17-322" }, { "db": "CNVD", "id": "CNVD-2017-06980" }, { "db": "VULHUB", "id": "VHN-116132" }, { "db": "BID", "id": "98311" }, { "db": "JVNDB", "id": "JVNDB-2017-003931" }, { "db": "CNNVD", "id": "CNNVD-201704-931" }, { "db": "NVD", "id": "CVE-2017-7929" } ] }, "id": "VAR-201705-3745", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "IVD", "id": "72b8f504-9faf-4e5e-9287-87f7cb248c3e" }, { "db": "CNVD", "id": "CNVD-2017-06980" }, { "db": "VULHUB", "id": "VHN-116132" } ], "trust": 1.438782045 }, "iot_taxonomy": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "category": [ "ICS" ], "sub_category": null, "trust": 0.8 } ], "sources": [ { "db": "IVD", "id": "72b8f504-9faf-4e5e-9287-87f7cb248c3e" }, { "db": "CNVD", "id": "CNVD-2017-06980" } ] }, "last_update_date": "2024-11-23T22:07:25.876000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "Advantech WebAccess", "trust": 0.8, "url": "http://www.advantech.com/industrial-automation/webaccess" }, { "title": "Advantech has issued an update to correct this vulnerability.", "trust": 0.7, "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-124-03" }, { "title": "Patch for Advantech WebAccess Directory Traversal Vulnerability (CNVD-2017-06980)", "trust": 0.6, "url": "https://www.cnvd.org.cn/patchInfo/show/93984" }, { "title": "Advantech WebAccess Repair measures for path traversal vulnerabilities", "trust": 0.6, "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=99746" } ], "sources": [ { "db": "ZDI", "id": "ZDI-17-322" }, { "db": "CNVD", "id": "CNVD-2017-06980" }, { "db": "JVNDB", "id": "JVNDB-2017-003931" }, { "db": "CNNVD", "id": "CNNVD-201704-931" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-22", "trust": 1.9 }, { "problemtype": "CWE-36", "trust": 1.0 } ], "sources": [ { "db": "VULHUB", "id": "VHN-116132" }, { "db": "JVNDB", "id": "JVNDB-2017-003931" }, { "db": "NVD", "id": "CVE-2017-7929" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 3.5, "url": "https://ics-cert.us-cert.gov/advisories/icsa-17-124-03" }, { "trust": 2.3, "url": "http://www.securityfocus.com/bid/98311" }, { "trust": 1.4, "url": "https://nvd.nist.gov/vuln/detail/cve-2017-7929" }, { "trust": 0.8, "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-7929" }, { "trust": 0.3, "url": "http://www.advantech.in/" } ], "sources": [ { "db": "ZDI", "id": "ZDI-17-322" }, { "db": "CNVD", "id": "CNVD-2017-06980" }, { "db": "VULHUB", "id": "VHN-116132" }, { "db": "BID", "id": "98311" }, { "db": "JVNDB", "id": "JVNDB-2017-003931" }, { "db": "CNNVD", "id": "CNNVD-201704-931" }, { "db": "NVD", "id": "CVE-2017-7929" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "IVD", "id": "72b8f504-9faf-4e5e-9287-87f7cb248c3e" }, { "db": "ZDI", "id": "ZDI-17-322" }, { "db": "CNVD", "id": "CNVD-2017-06980" }, { "db": "VULHUB", "id": "VHN-116132" }, { "db": "BID", "id": "98311" }, { "db": "JVNDB", "id": "JVNDB-2017-003931" }, { "db": "CNNVD", "id": "CNNVD-201704-931" }, { "db": "NVD", "id": "CVE-2017-7929" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2017-05-19T00:00:00", "db": "IVD", "id": "72b8f504-9faf-4e5e-9287-87f7cb248c3e" }, { "date": "2017-05-04T00:00:00", "db": "ZDI", "id": "ZDI-17-322" }, { "date": "2017-05-19T00:00:00", "db": "CNVD", "id": "CNVD-2017-06980" }, { "date": "2017-05-06T00:00:00", "db": "VULHUB", "id": "VHN-116132" }, { "date": "2017-05-04T00:00:00", "db": "BID", "id": "98311" }, { "date": "2017-06-12T00:00:00", "db": "JVNDB", "id": "JVNDB-2017-003931" }, { "date": "2017-04-20T00:00:00", "db": "CNNVD", "id": "CNNVD-201704-931" }, { "date": "2017-05-06T00:29:00.490000", "db": "NVD", "id": "CVE-2017-7929" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2017-05-04T00:00:00", "db": "ZDI", "id": "ZDI-17-322" }, { "date": "2017-05-19T00:00:00", "db": "CNVD", "id": "CNVD-2017-06980" }, { "date": "2019-10-09T00:00:00", "db": "VULHUB", "id": "VHN-116132" }, { "date": "2017-05-23T16:23:00", "db": "BID", "id": "98311" }, { "date": "2017-06-12T00:00:00", "db": "JVNDB", "id": "JVNDB-2017-003931" }, { "date": "2019-10-17T00:00:00", "db": "CNNVD", "id": "CNNVD-201704-931" }, { "date": "2024-11-21T03:32:59.230000", "db": "NVD", "id": "CVE-2017-7929" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-201704-931" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Advantech WebAccess Path traversal vulnerability", "sources": [ { "db": "JVNDB", "id": "JVNDB-2017-003931" }, { "db": "CNNVD", "id": "CNNVD-201704-931" } ], "trust": 1.4 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Path traversal", "sources": [ { "db": "IVD", "id": "72b8f504-9faf-4e5e-9287-87f7cb248c3e" }, { "db": "CNNVD", "id": "CNNVD-201704-931" } ], "trust": 0.8 } }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.