CVE-2017-16720 : A Path Traversal issue was discovered in WebAccess versions 8.3.2 and earlier. A

A Path Traversal issue was discovered in WebAccess versions 8.3.2 and earlier. An attacker has access to files within the directory structure of the target device.

Published 2018-01-05 08:29:00

Updated 2019-10-09 23:25:14

Source ICS-CERT

View at NVD, CVE.org

Vulnerability category: Directory traversal

Products affected by CVE-2017-16720

Advantech » Webaccess
Versions up to, including, (<=) 8.3.2
cpe:2.3:a:advantech:webaccess:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2017-16720

EPSS FAQ

34.16%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 97 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2017-16720

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
10.0	HIGH	AV:N/AC:L/Au:N/C:C/I:C/A:C	10.0	10.0	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
9.8	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2017-16720

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Assigned by:
- ics-cert@hq.dhs.gov (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2017-16720

https://www.exploit-db.com/exploits/44278/

Advantech WebAccess < 8.3 - Directory Traversal / Remote Code Execution
Exploit;Third Party Advisory;VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-18-004-02

404 - File Not Found | CISA
Broken Link;Third Party Advisory;US Government Resource

CVEs referencing this url
http://www.securityfocus.com/bid/102424

Advantech WebAccess ICSA-18-004-02 Multiple Security Vulnerabilities
Third Party Advisory;VDB Entry

CVEs referencing this url
https://www.tenable.com/security/research/tra-2018-23

[R1] Advantech WebAccess Remote Code Execution - Research Advisory | Tenable®
Third Party Advisory
https://www.zerodayinitiative.com/advisories/ZDI-18-024/

ZDI-18-024 | Zero Day Initiative
Third Party Advisory

Jump to

Vulnerability Details : CVE-2017-16720

Products affected by CVE-2017-16720

Exploit prediction scoring system (EPSS) score for CVE-2017-16720

CVSS scores for CVE-2017-16720

CWE ids for CVE-2017-16720

References for CVE-2017-16720