Vulnerability Details : CVE-2017-6746
A vulnerability in the web interface of the Cisco Web Security Appliance (WSA) could allow an authenticated, remote attacker to perform command injection and elevate privileges to root. The attacker must authenticate with valid administrator credentials. Affected Products: Cisco AsyncOS Software 10.0 and later for WSA on both virtual and hardware appliances. More Information: CSCvd88862. Known Affected Releases: 10.1.0-204. Known Fixed Releases: 10.5.1-270 10.1.1-235.
Vulnerability category: Input validation
Products affected by CVE-2017-6746
- cpe:2.3:a:cisco:web_security_appliance:10.1.1-230:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:web_security_appliance:10.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:web_security_appliance:10.5.0-358:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:web_security_appliance:10.1.1-234:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:web_security_appliance:10.0_base:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:web_security_appliance:10.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:web_security_appliance:10.1.0-204:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:web_security_appliance:10.0.0-233:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:web_security_appliance:11.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:web_security_appliance:11.0.0-641:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:web_security_appliance:11.0.0-613:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-6746
0.33%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 70 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-6746
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.0
|
HIGH | AV:N/AC:L/Au:S/C:C/I:C/A:C |
8.0
|
10.0
|
NIST | |
7.2
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
NIST |
CWE ids for CVE-2017-6746
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-6746
-
http://www.securitytracker.com/id/1038948
Cisco Web Security Appliance Flaw Lets Remote Authenticated Users Execute Arbitrary Commands on the Target System - SecurityTrackerThird Party Advisory;VDB Entry
-
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170719-wsa1
Cisco Web Security Appliance Command Injection and Privilege Escalation VulnerabilityVendor Advisory
-
http://www.securityfocus.com/bid/99877
Cisco AsyncOS Software CVE-2017-6746 Command Injection VulnerabilityThird Party Advisory;VDB Entry
Jump to