CVE-2017-8051
published 2017-04-21CVE-2017-8051: Tenable Appliance 3.5 - 4.4.0, and possibly prior versions, contains a flaw in the simpleupload.py script in the Web UI. Through the manipulation of the…
PriorityP272critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
16.48%
96.6th percentile
Tenable Appliance 3.5 - 4.4.0, and possibly prior versions, contains a flaw in the simpleupload.py script in the Web UI. Through the manipulation of the tns_appliance_session_user parameter, a remote attacker can inject arbitrary commands.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tenable | appliance | — | — |
| tenable | appliance | — | — |
| tenable | appliance | — | — |
| tenable | appliance | — | — |
| tenable | appliance | — | — |
| tenable | appliance | — | — |
| tenable | appliance | — | — |
| tenable | appliance | — | — |
| tenable | appliance | — | — |
| tenable | appliance | — | — |
| tenable | appliance | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to /simpleupload.py for manipulation of the `tns_appliance_session_user` parameter, particularly values containing shell metacharacters (e.g., `&`, `|`, `;`, `%26`, `%0a`) indicative of command injection. ↗
- →Look for URL-encoded shell payloads in the `tns_appliance_session_user` parameter, specifically `%26` (ampersand) and `%0a` (newline) used to chain commands and establish reverse shells via `/dev/tcp`. ↗
- →A public exploit for this RCE was published on 2017-04-18 by researcher 'agix'; treat any exploitation attempts against /simpleupload.py after this date as active in-the-wild exploitation. ↗
- ·All Tenable Appliance versions in the 3.x and 4.x lines are affected (3.4.0, 3.5.0, 3.5.1, 3.10.0, 3.10.1, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.3.1, 4.4.0); the vulnerability is exploitable without authentication. ↗
- ·Tenable strongly recommends the appliance be placed on a non-Internet-addressable subnet to reduce exposure to this unauthenticated RCE. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
2017-04-21
Published