CVE-2017-6754 - OpenCVE

Vendors	Products
Cisco	Smart Net Total Care Collector Appliance

Link	Providers
http://www.securityfocus.com/bid/100126
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvf07617
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170802-sntc

{"containers": {"cna": {"affected": [{"product": "Cisco Smart Net Total Care Software Collector Appliance", "vendor": "n/a", "versions": [{"status": "affected", "version": "Cisco Smart Net Total Care Software Collector Appliance"}]}], "datePublic": "2017-08-07T00:00:00", "descriptions": [{"lang": "en", "value": "A vulnerability in the web-based management interface of the Cisco Smart Net Total Care (SNTC) Software Collector Appliance 3.11 could allow an authenticated, remote attacker to perform a read-only, blind SQL injection attack, which could allow the attacker to compromise the confidentiality of the system through SQL timing attacks. The vulnerability is due to insufficient input validation of certain user-supplied fields that are subsequently used by the affected software to build SQL queries. An attacker could exploit this vulnerability by submitting crafted URLs, which are designed to exploit the vulnerability, to the affected software. To execute an attack successfully, the attacker would need to submit a number of requests to the affected software. A successful exploit could allow the attacker to determine the presence of values in the SQL database of the affected software. Cisco Bug IDs: CSCvf07617."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2017-08-07T09:57:02", "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://quickview.cloudapps.cisco.com/quickview/bug/CSCvf07617"}, {"name": "100126", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/100126"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170802-sntc"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@cisco.com", "ID": "CVE-2017-6754", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Cisco Smart Net Total Care Software Collector Appliance", "version": {"version_data": [{"version_value": "Cisco Smart Net Total Care Software Collector Appliance"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability in the web-based management interface of the Cisco Smart Net Total Care (SNTC) Software Collector Appliance 3.11 could allow an authenticated, remote attacker to perform a read-only, blind SQL injection attack, which could allow the attacker to compromise the confidentiality of the system through SQL timing attacks. The vulnerability is due to insufficient input validation of certain user-supplied fields that are subsequently used by the affected software to build SQL queries. An attacker could exploit this vulnerability by submitting crafted URLs, which are designed to exploit the vulnerability, to the affected software. To execute an attack successfully, the attacker would need to submit a number of requests to the affected software. A successful exploit could allow the attacker to determine the presence of values in the SQL database of the affected software. Cisco Bug IDs: CSCvf07617."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-89"}]}]}, "references": {"reference_data": [{"name": "https://quickview.cloudapps.cisco.com/quickview/bug/CSCvf07617", "refsource": "CONFIRM", "url": "https://quickview.cloudapps.cisco.com/quickview/bug/CSCvf07617"}, {"name": "100126", "refsource": "BID", "url": "http://www.securityfocus.com/bid/100126"}, {"name": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170802-sntc", "refsource": "CONFIRM", "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170802-sntc"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T15:41:17.116Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://quickview.cloudapps.cisco.com/quickview/bug/CSCvf07617"}, {"name": "100126", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/100126"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170802-sntc"}]}]}, "cveMetadata": {"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "assignerShortName": "cisco", "cveId": "CVE-2017-6754", "datePublished": "2017-08-07T06:00:00", "dateReserved": "2017-03-09T00:00:00", "dateUpdated": "2024-08-05T15:41:17.116Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cisco:smart_net_total_care_collector_appliance:3.11:*:*:*:*:*:*:*", "matchCriteriaId": "07DA489C-B051-45DB-B068-96E09B7E57BF", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the web-based management interface of the Cisco Smart Net Total Care (SNTC) Software Collector Appliance 3.11 could allow an authenticated, remote attacker to perform a read-only, blind SQL injection attack, which could allow the attacker to compromise the confidentiality of the system through SQL timing attacks. The vulnerability is due to insufficient input validation of certain user-supplied fields that are subsequently used by the affected software to build SQL queries. An attacker could exploit this vulnerability by submitting crafted URLs, which are designed to exploit the vulnerability, to the affected software. To execute an attack successfully, the attacker would need to submit a number of requests to the affected software. A successful exploit could allow the attacker to determine the presence of values in the SQL database of the affected software. Cisco Bug IDs: CSCvf07617."}, {"lang": "es", "value": "Una vulnerabilidad en la interfaz de gesti\u00f3n basada en web de Cisco Smart Net Total Care (SNTC) Software Collector Appliance 3.11 podr\u00eda permitir que un atacante remoto autenticado realice un ataque ciego de s\u00f3lo lectura de inyecci\u00f3n SQL, lo que har\u00eda que este comprometiese la confidencialidad del sistema mediante ataques SQL basados en tiempo. La vulnerabilidad se debe a que no se validan lo suficiente los campos de entrada de datos de usuario que son, posteriormente, empleados por el software afectado para realizar consultas SQL. Un atacante podr\u00eda explotar esta vulnerabilidad enviando al software afectado URL manipuladas dise\u00f1adas para este fin. Para llevar a cabo este ataque de forma exitosa, el atacante necesitar\u00eda enviar una serie de peticiones al software afectado. Si se realiza correctamente, esta vulnerabilidad podr\u00eda permitir que el atacante determine la presencia de valores en la base de datos SQL del software afectado. Cisco Bug IDs: CSCvf07617."}], "id": "CVE-2017-6754", "lastModified": "2019-10-09T23:29:03.700", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-08-07T06:29:00.417", "references": [{"source": "ykramarz@cisco.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/100126"}, {"source": "ykramarz@cisco.com", "tags": ["Vendor Advisory"], "url": "https://quickview.cloudapps.cisco.com/quickview/bug/CSCvf07617"}, {"source": "ykramarz@cisco.com", "tags": ["Vendor Advisory"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170802-sntc"}], "sourceIdentifier": "ykramarz@cisco.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "ykramarz@cisco.com", "type": "Secondary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object