CVE-2017-4989 - OpenCVE

In EMC Avamar Server Software 7.3.1-125, 7.3.0-233, 7.3.0-226, 7.2.1-32, 7.2.1-31, 7.2.0-401, an unauthenticated remote attacker may potentially bypass the authentication process to gain access to the system maintenance page. This may be exploited by an attacker to view sensitive information, perform software updates, or run maintenance workflows.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Emc	Avamar Server

Configuration 1 [-]

OR	cpe:2.3:a:emc:avamar_server:7.2.0-401:::::::*
	cpe:2.3:a:emc:avamar_server:7.2.1-31:::::::*
	cpe:2.3:a:emc:avamar_server:7.2.1-32:::::::*
	cpe:2.3:a:emc:avamar_server:7.3.0-226:::::::*
	cpe:2.3:a:emc:avamar_server:7.3.0-233:::::::*
	cpe:2.3:a:emc:avamar_server:7.3.1-125:::::::*

No data.

References

Link	Providers
http://www.securityfocus.com/archive/1/540754/30/0/threaded
http://www.securityfocus.com/bid/99243
http://www.securitytracker.com/id/1038718

History

No history.

MITRE

Status: PUBLISHED

Assigner: dell

Published: 2017-06-21T20:00:00

Updated: 2024-08-05T14:47:44.030Z

Reserved: 2016-12-29T00:00:00

Link: CVE-2017-4989

Vulnrichment

No data.

NVD

Status : Modified

Published: 2017-06-21T20:29:00.297

Modified: 2017-07-07T01:29:03.917

Link: CVE-2017-4989

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "EMC Avamar Server Software 7.3.1-125, 7.3.0-233, 7.3.0-226, 7.2.1-32, 7.2.1-31, 7.2.0-401", "vendor": "n/a", "versions": [{"status": "affected", "version": "EMC Avamar Server Software 7.3.1-125, 7.3.0-233, 7.3.0-226, 7.2.1-32, 7.2.1-31, 7.2.0-401"}]}], "datePublic": "2017-06-21T00:00:00", "descriptions": [{"lang": "en", "value": "In EMC Avamar Server Software 7.3.1-125, 7.3.0-233, 7.3.0-226, 7.2.1-32, 7.2.1-31, 7.2.0-401, an unauthenticated remote attacker may potentially bypass the authentication process to gain access to the system maintenance page. This may be exploited by an attacker to view sensitive information, perform software updates, or run maintenance workflows."}], "problemTypes": [{"descriptions": [{"description": "Server Authentication Bypass Vulnerability", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-07-06T09:57:01", "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://www.securityfocus.com/archive/1/540754/30/0/threaded"}, {"name": "99243", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/99243"}, {"name": "1038718", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1038718"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security_alert@emc.com", "ID": "CVE-2017-4989", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "EMC Avamar Server Software 7.3.1-125, 7.3.0-233, 7.3.0-226, 7.2.1-32, 7.2.1-31, 7.2.0-401", "version": {"version_data": [{"version_value": "EMC Avamar Server Software 7.3.1-125, 7.3.0-233, 7.3.0-226, 7.2.1-32, 7.2.1-31, 7.2.0-401"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In EMC Avamar Server Software 7.3.1-125, 7.3.0-233, 7.3.0-226, 7.2.1-32, 7.2.1-31, 7.2.0-401, an unauthenticated remote attacker may potentially bypass the authentication process to gain access to the system maintenance page. This may be exploited by an attacker to view sensitive information, perform software updates, or run maintenance workflows."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Server Authentication Bypass Vulnerability"}]}]}, "references": {"reference_data": [{"name": "http://www.securityfocus.com/archive/1/540754/30/0/threaded", "refsource": "CONFIRM", "url": "http://www.securityfocus.com/archive/1/540754/30/0/threaded"}, {"name": "99243", "refsource": "BID", "url": "http://www.securityfocus.com/bid/99243"}, {"name": "1038718", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1038718"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T14:47:44.030Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/540754/30/0/threaded"}, {"name": "99243", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/99243"}, {"name": "1038718", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1038718"}]}]}, "cveMetadata": {"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "assignerShortName": "dell", "cveId": "CVE-2017-4989", "datePublished": "2017-06-21T20:00:00", "dateReserved": "2016-12-29T00:00:00", "dateUpdated": "2024-08-05T14:47:44.030Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:emc:avamar_server:7.2.0-401:*:*:*:*:*:*:*", "matchCriteriaId": "5BD7E9AC-6477-4C58-A5CA-E294C2D0AB76", "vulnerable": true}, {"criteria": "cpe:2.3:a:emc:avamar_server:7.2.1-31:*:*:*:*:*:*:*", "matchCriteriaId": "3EB2AC0F-B8B3-4232-B530-D9F01D7ECCB8", "vulnerable": true}, {"criteria": "cpe:2.3:a:emc:avamar_server:7.2.1-32:*:*:*:*:*:*:*", "matchCriteriaId": "CF5A76F8-15A8-4FE5-884E-6A46337B6F5A", "vulnerable": true}, {"criteria": "cpe:2.3:a:emc:avamar_server:7.3.0-226:*:*:*:*:*:*:*", "matchCriteriaId": "D2E105BC-BCB8-481F-B21F-2FB4653CA1C6", "vulnerable": true}, {"criteria": "cpe:2.3:a:emc:avamar_server:7.3.0-233:*:*:*:*:*:*:*", "matchCriteriaId": "133FFE19-9914-4E7E-BDE4-FF04B6554F5B", "vulnerable": true}, {"criteria": "cpe:2.3:a:emc:avamar_server:7.3.1-125:*:*:*:*:*:*:*", "matchCriteriaId": "2DA69C30-4908-4DCD-AC7C-989E81FC7528", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In EMC Avamar Server Software 7.3.1-125, 7.3.0-233, 7.3.0-226, 7.2.1-32, 7.2.1-31, 7.2.0-401, an unauthenticated remote attacker may potentially bypass the authentication process to gain access to the system maintenance page. This may be exploited by an attacker to view sensitive information, perform software updates, or run maintenance workflows."}, {"lang": "es", "value": "En EMC Avamar Server Software 7.3.1-125, 7.3.0-233, 7.3.0-226, 7.2.1-32, 7.2.1-31 y 7.2.0-401, un atacante remoto no autenticado podr\u00eda omitir el proceso de autenticaci\u00f3n para obtener acceso a la p\u00e1gina de mantenimiento del sistema. Esto podr\u00eda ser explotado por un atacante para ver informaci\u00f3n sensible, realizar actualizaciones de software o llevar a cabo flujos de trabajo de mantenimiento."}], "id": "CVE-2017-4989", "lastModified": "2017-07-07T01:29:03.917", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-06-21T20:29:00.297", "references": [{"source": "security_alert@emc.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/archive/1/540754/30/0/threaded"}, {"source": "security_alert@emc.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/99243"}, {"source": "security_alert@emc.com", "url": "http://www.securitytracker.com/id/1038718"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}