CVE-2017-3851
published 2017-03-22CVE-2017-3851: A Directory Traversal vulnerability in the web framework code of the Cisco application-hosting framework (CAF) component of the Cisco IOx application…
PriorityP352high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EPSS
5.21%
91.4th percentile
A Directory Traversal vulnerability in the web framework code of the Cisco application-hosting framework (CAF) component of the Cisco IOx application environment could allow an unauthenticated, remote attacker to read any file from the CAF in the virtual instance running on the affected device. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by submitting crafted requests to the CAF web interface. The impacts of a successful exploit are limited to the scope of the virtual instance and do not impact the router that is hosting Cisco IOx. Cisco IOx Releases 1.0.0.0 and 1.1.0.0 are vulnerable. Cisco Bug IDs: CSCuy52302.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | application-hosting_framework_directory | — | — |
| cisco | iox | — | — |
| cisco | iox | — | — |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_cisco7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rv9w-q754-5cw5: A Directory Traversal vulnerability in the web framework code of the Cisco application-hosting framework (CAF) component of the Cisco IOx application
ghsa_unreviewed·2022-05-17
CVE-2017-3851 [HIGH] CWE-22 GHSA-rv9w-q754-5cw5: A Directory Traversal vulnerability in the web framework code of the Cisco application-hosting framework (CAF) component of the Cisco IOx application
A Directory Traversal vulnerability in the web framework code of the Cisco application-hosting framework (CAF) component of the Cisco IOx application environment could allow an unauthenticated, remote attacker to read any file from the CAF in the virtual instance running on the affected device. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by submitting crafted requests to the CAF web interface. The impacts of a successful exploit are limited to the scope of the virtual instance and do not impact the router that is hosting Cisco IOx. Cisco IOx Releases 1.0.0.0 and 1.1.0.0 are vulnerable. Cisco Bug IDs: CSCuy52302.
Cisco
Cisco Application-Hosting Framework Directory Traversal Vulnerability
vendor_cisco·2017-03-22·CVSS 7.5
CVE-2017-3851 [HIGH] CWE-22 Cisco Application-Hosting Framework Directory Traversal Vulnerability
Cisco Application-Hosting Framework Directory Traversal Vulnerability
A vulnerability in the web framework code of the Cisco application-hosting framework (CAF) component of the Cisco IOx application environment could allow an unauthenticated, remote attacker to read any file from the CAF in the virtual instance running on the affected device.
The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by submitting crafted requests to the CAF web interface. The impacts of a successful exploit are limited to the scope of the virtual instance and do not impact the router that is hosting Cisco IOx.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is ava
Cisco
Cisco Application-Hosting Framework Directory Traversal Vulnerability
vendor_cisco·CVSS 3.0
CVE-2017-3851 Cisco Application-Hosting Framework Directory Traversal Vulnerability
CVE-2017-3851: Cisco Application-Hosting Framework Directory Traversal Vulnerability
A vulnerability in the web framework code of the Cisco application-hosting framework (CAF) component of the Cisco IOx application environment could allow an unauthenticated, remote attacker to read any file from the CAF in the virtual instance running on the affected device. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by submitting crafted requests to the CAF web interface. The impacts of a successful exploit are limited to the scope of the virtual instance and do not impact the router that is hosting Cisco IOx. Cisco has released software updates that address this vulnerability. There are no
CVSS: 3.0
CWE: CWE-22, CWE-22
Bug IDs: CSCuy52302
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/97013http://www.securitytracker.com/id/1038106http://www.securitytracker.com/id/1038107https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-caf1http://www.securityfocus.com/bid/97013http://www.securitytracker.com/id/1038106http://www.securitytracker.com/id/1038107https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-caf1
2017-03-22
Published