CVE-2017-6746 — Improper Input Validation in Cisco WEB Security Appliance

CWE-20 — Improper Input Validation4 documents4 sources

Severity

7.2HIGHNVD

EPSS

2.5%

top 14.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco WEB Security Appliance Cisco WEB Security Appliance

Timeline

PublishedJul 25

Latest updateMay 17

Description

A vulnerability in the web interface of the Cisco Web Security Appliance (WSA) could allow an authenticated, remote attacker to perform command injection and elevate privileges to root. The attacker must authenticate with valid administrator credentials. Affected Products: Cisco AsyncOS Software 10.0 and later for WSA on both virtual and hardware appliances. More Information: CSCvd88862. Known Affected Releases: 10.1.0-204. Known Fixed Releases: 10.5.1-270 10.1.1-235.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

▶NVDcisco/web_security_appliance11 versions+10

▶CVEListV5cisco/cisco_web_security_applianceCisco Web Security Appliance

🔴Vulnerability Details

GHSA

GHSA-gmcr-6x9x-76r5: A vulnerability in the web interface of the Cisco Web Security Appliance (WSA) could allow an authenticated, remote attacker to perform command inject↗2022-05-17

▶

CVEList

CVE-2017-6746: A vulnerability in the web interface of the Cisco Web Security Appliance (WSA) could allow an authenticated, remote attacker to perform command inject↗2017-07-25

▶

📋Vendor Advisories

Cisco

Cisco Web Security Appliance Command Injection and Privilege Escalation Vulnerability↗2017-07-19

▶