CVE-2017-6712

CWE-78 — OS Command Injection4 documents4 sources

Severity

8.8HIGH

EPSS

0.8%

top 26.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Elastic Services Controller

Timeline

PublishedJul 6

Latest updateMay 17

Description

A vulnerability in certain commands of Cisco Elastic Services Controller could allow an authenticated, remote attacker to elevate privileges to root and run dangerous commands on the server. The vulnerability occurs because a "tomcat" user on the system can run certain shell commands, allowing the user to overwrite any file on the filesystem and elevate privileges to root. This vulnerability affects Cisco Elastic Services Controller prior to releases 2.3.1.434 and 2.3.2. Cisco Bug IDs: CSCvc7663…

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5cisco_elastic_services_controllerCisco Elastic Services Controller

▶NVDcisco/elastic_services_controller6 versions+5

🔴Vulnerability Details

GHSA

GHSA-v4w7-98vm-rrmr: A vulnerability in certain commands of Cisco Elastic Services Controller could allow an authenticated, remote attacker to elevate privileges to root a↗2022-05-17

▶

CVEList

CVE-2017-6712: A vulnerability in certain commands of Cisco Elastic Services Controller could allow an authenticated, remote attacker to elevate privileges to root a↗2017-07-06

▶

📋Vendor Advisories

Cisco

Cisco Elastic Services Controller Arbitrary Command Execution Vulnerability↗2017-07-05

▶