Vulnerability Details : CVE-2017-14001
An Improper Neutralization of Special Elements used in an OS Command issue was discovered in Digium Asterisk GUI 2.1.0 and prior. An OS command injection vulnerability has been identified that may allow the execution of arbitrary code on the system through the inclusion of OS commands in the URL request of the program.
Products affected by CVE-2017-14001
- cpe:2.3:a:digium:asterisk_gui:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-14001
1.65%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 80 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-14001
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.0
|
HIGH | AV:N/AC:L/Au:S/C:C/I:C/A:C |
8.0
|
10.0
|
NIST | |
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2017-14001
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by:
- ics-cert@hq.dhs.gov (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2017-14001
-
https://ics-cert.us-cert.gov/advisories/ICSA-17-264-03
Digium Asterisk GUI | CISAThird Party Advisory;US Government Resource
-
http://www.securityfocus.com/bid/100950
Digium Asterisk GUI CVE-2017-14001 OS Command Injection VulnerabilityThird Party Advisory;VDB Entry
Jump to