Vulnerability Details : CVE-2017-10617
The ifmap service that comes bundled with Contrail has an XML External Entity (XXE) vulnerability that may allow an attacker to retrieve sensitive system files. Affected releases are Juniper Networks Contrail 2.2 prior to 2.21.4; 3.0 prior to 3.0.3.4; 3.1 prior to 3.1.4.0; 3.2 prior to 3.2.5.0. CVE-2017-10616 and CVE-2017-10617 can be chained together and have a combined CVSSv3 score of 5.8 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N).
Vulnerability category: XML external entity (XXE) injection
Products affected by CVE-2017-10617
- cpe:2.3:a:juniper:contrail:*:*:*:*:*:*:*:*
- cpe:2.3:a:juniper:contrail:*:*:*:*:*:*:*:*
- cpe:2.3:a:juniper:contrail:*:*:*:*:*:*:*:*
- cpe:2.3:a:juniper:contrail:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-10617
0.15%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 52 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-10617
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
5.0
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N |
3.1
|
1.4
|
NIST | |
5.0
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N |
3.1
|
1.4
|
Juniper Networks, Inc. |
CWE ids for CVE-2017-10617
-
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-10617
-
https://github.com/orangecertcc/security-research/security/advisories/GHSA-wjp8-8qf6-vqmc
Juniper Contrail - The XML External Entity (XXE) vulnerability (CVE-2017-10617) · Advisory · orangecertcc/security-research · GitHubThird Party Advisory
-
https://kb.juniper.net/JSA10819
Juniper Networks - 2017-10 Security Bulletin: Contrail: hard coded credentials (CVE-2017-10616) and XML External Entity (XXE) vulnerability (CVE-2017-10617)Vendor Advisory
Jump to