CVE-2017-6708
published 2017-07-06CVE-2017-6708: A vulnerability in the symbolic link (symlink) creation functionality of the AutoVNF tool for the Cisco Ultra Services Framework could allow an…
PriorityP359critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
1.46%
70.2th percentile
A vulnerability in the symbolic link (symlink) creation functionality of the AutoVNF tool for the Cisco Ultra Services Framework could allow an unauthenticated, remote attacker to read sensitive files or execute malicious code on an affected system. The vulnerability is due to the absence of validation checks for the input that is used to create symbolic links. This vulnerability affects all releases of the Cisco Ultra Services Framework prior to Releases 5.0.3 and 5.1. Cisco Bug IDs: CSCvc76654.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | ultra_services_framework | <= 5.0.2 | — |
| cisco | ultra_services_framework_autovnf_symbolic_link_handling | — | — |
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_cisco7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pfr5-rwfq-66qc: A vulnerability in the symbolic link (symlink) creation functionality of the AutoVNF tool for the Cisco Ultra Services Framework could allow an unauth
ghsa_unreviewed·2022-05-17
CVE-2017-6708 [CRITICAL] CWE-200 GHSA-pfr5-rwfq-66qc: A vulnerability in the symbolic link (symlink) creation functionality of the AutoVNF tool for the Cisco Ultra Services Framework could allow an unauth
A vulnerability in the symbolic link (symlink) creation functionality of the AutoVNF tool for the Cisco Ultra Services Framework could allow an unauthenticated, remote attacker to read sensitive files or execute malicious code on an affected system. The vulnerability is due to the absence of validation checks for the input that is used to create symbolic links. This vulnerability affects all releases of the Cisco Ultra Services Framework prior to Releases 5.0.3 and 5.1. Cisco Bug IDs: CSCvc76654.
Cisco
Cisco Ultra Services Framework AutoVNF Symbolic Link Handling Information Disclosure Vulnerability
vendor_cisco·2017-07-05·CVSS 7.5
CVE-2017-6708 [HIGH] CWE-200 Cisco Ultra Services Framework AutoVNF Symbolic Link Handling Information Disclosure Vulnerability
Cisco Ultra Services Framework AutoVNF Symbolic Link Handling Information Disclosure Vulnerability
A vulnerability in the symbolic link (symlink) creation functionality of the AutoVNF tool for the Cisco Ultra Services Framework could allow an unauthenticated, remote attacker to read sensitive files or execute malicious code on an affected system.
The vulnerability is due to the absence of validation checks for the input that is used to create symbolic links. A successful exploit could allow the attacker to read any sensitive file or execute malicious code on an affected system.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/se
Cisco
Cisco Ultra Services Framework AutoVNF Symbolic Link Handling Information Disclosure Vulnerability
vendor_cisco·CVSS 3.0
CVE-2017-6708 Cisco Ultra Services Framework AutoVNF Symbolic Link Handling Information Disclosure Vulnerability
CVE-2017-6708: Cisco Ultra Services Framework AutoVNF Symbolic Link Handling Information Disclosure Vulnerability
A vulnerability in the symbolic link ( symlink ) creation functionality of the AutoVNF tool for the Cisco Ultra Services Framework could allow an unauthenticated, remote attacker to read sensitive files or execute malicious code on an affected system. The vulnerability is due to the absence of validation checks for the input that is used to create symbolic links. A successful exploit could allow the attacker to read any sensitive file or execute malicious code on an affected system. Cisco has released software updates that address this vulnerability. There are no
CVSS: 3.0
CWE: CWE-200, CWE-200
Bug IDs: CSCvc76654
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2017-07-06
Published