cnvd - cnvd-2017-04551

CNVD-2017-04551

Vulnerability from cnvd - Published: 2017-04-17

Title

Miele Professional PG 8528 PST10目录遍历漏洞

Description

Miele Professional PG 8528 PST10是一款洗衣机消毒器。 Miele Professional PG 8528 PST10中存在目录遍历漏洞。攻击者可利用该漏洞访问敏感信息。

Severity

中

Formal description

目前没有详细的解决方案提供： https://www.miele.com/

Reference

http://www.securityfocus.com/bid/97080

Impacted products

Name
Miele PG 8528 0

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "97080"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-7240"
    }
  },
  "description": "Miele Professional PG 8528 PST10\u662f\u4e00\u6b3e\u6d17\u8863\u673a\u6d88\u6bd2\u5668\u3002\r\n\r\nMiele Professional PG 8528 PST10\u4e2d\u5b58\u5728\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bbf\u95ee\u654f\u611f\u4fe1\u606f\u3002",
  "discovererName": "Jens Regel, Schneider \u0026 Wulf EDV-Beratung GmbH \u0026 Co. KG",
  "formalWay": "\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u89e3\u51b3\u65b9\u6848\u63d0\u4f9b\uff1a\r\nhttps://www.miele.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-04551",
  "openTime": "2017-04-17",
  "products": {
    "product": "Miele PG 8528 0"
  },
  "referenceLink": "http://www.securityfocus.com/bid/97080",
  "serverity": "\u4e2d",
  "submitTime": "2017-03-31",
  "title": "Miele Professional PG 8528 PST10\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e"
}

CVE-2017-7240 (GCVE-0-2017-7240)

Vulnerability from cvelistv5 – Published: 2017-03-24 15:00 – Updated: 2024-08-05 15:56

Summary

An issue was discovered on Miele Professional PST10 devices. The corresponding embedded webserver "PST10 WebServer" typically listens to port 80 and is prone to a directory traversal attack; therefore, an unauthenticated attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks. A Proof of Concept is GET /../../../../../../../../../../../../etc/shadow HTTP/1.1. This affects PG8527 devices 2.02 before 2.12, PG8527 devices 2.51 before 2.61, PG8527 devices 2.52 before 2.62, PG8527 devices 2.54 before 2.64, PG8528 devices 2.02 before 2.12, PG8528 devices 2.51 before 2.61, PG8528 devices 2.52 before 2.62, PG8528 devices 2.54 before 2.64, PG8535 devices 1.00 before 1.10, PG8535 devices 1.04 before 1.14, PG8536 devices 1.10 before 1.20, and PG8536 devices 1.14 before 1.24.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://www.miele.de/en/m/miele-admits-communicat…	x_refsource_MISC
	http://seclists.org/fulldisclosure/2017/Mar/63	x_refsource_MISC
	https://www.exploit-db.com/exploits/41718/	exploitx_refsource_EXPLOIT-DB
	https://ics-cert.us-cert.gov/advisories/ICSA-17-138-01	x_refsource_MISC
	http://www.securityfocus.com/bid/97080	vdb-entryx_refsource_BID

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T15:56:36.157Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.miele.de/en/m/miele-admits-communication-glitch-4072.htm"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2017/Mar/63"
          },
          {
            "name": "41718",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/41718/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-138-01"
          },
          {
            "name": "97080",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/97080"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2017-03-24T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered on Miele Professional PST10 devices. The corresponding embedded webserver \"PST10 WebServer\" typically listens to port 80 and is prone to a directory traversal attack; therefore, an unauthenticated attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks. A Proof of Concept is GET /../../../../../../../../../../../../etc/shadow HTTP/1.1. This affects PG8527 devices 2.02 before 2.12, PG8527 devices 2.51 before 2.61, PG8527 devices 2.52 before 2.62, PG8527 devices 2.54 before 2.64, PG8528 devices 2.02 before 2.12, PG8528 devices 2.51 before 2.61, PG8528 devices 2.52 before 2.62, PG8528 devices 2.54 before 2.64, PG8535 devices 1.00 before 1.10, PG8535 devices 1.04 before 1.14, PG8536 devices 1.10 before 1.20, and PG8536 devices 1.14 before 1.24."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-08-15T09:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.miele.de/en/m/miele-admits-communication-glitch-4072.htm"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2017/Mar/63"
        },
        {
          "name": "41718",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/41718/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-138-01"
        },
        {
          "name": "97080",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/97080"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2017-7240",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered on Miele Professional PST10 devices. The corresponding embedded webserver \"PST10 WebServer\" typically listens to port 80 and is prone to a directory traversal attack; therefore, an unauthenticated attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks. A Proof of Concept is GET /../../../../../../../../../../../../etc/shadow HTTP/1.1. This affects PG8527 devices 2.02 before 2.12, PG8527 devices 2.51 before 2.61, PG8527 devices 2.52 before 2.62, PG8527 devices 2.54 before 2.64, PG8528 devices 2.02 before 2.12, PG8528 devices 2.51 before 2.61, PG8528 devices 2.52 before 2.62, PG8528 devices 2.54 before 2.64, PG8535 devices 1.00 before 1.10, PG8535 devices 1.04 before 1.14, PG8536 devices 1.10 before 1.20, and PG8536 devices 1.14 before 1.24."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.miele.de/en/m/miele-admits-communication-glitch-4072.htm",
              "refsource": "MISC",
              "url": "https://www.miele.de/en/m/miele-admits-communication-glitch-4072.htm"
            },
            {
              "name": "http://seclists.org/fulldisclosure/2017/Mar/63",
              "refsource": "MISC",
              "url": "http://seclists.org/fulldisclosure/2017/Mar/63"
            },
            {
              "name": "41718",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/41718/"
            },
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSA-17-138-01",
              "refsource": "MISC",
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-138-01"
            },
            {
              "name": "97080",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/97080"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2017-7240",
    "datePublished": "2017-03-24T15:00:00",
    "dateReserved": "2017-03-23T00:00:00",
    "dateUpdated": "2024-08-05T15:56:36.157Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2017-04551

CVE-2017-7240 (GCVE-0-2017-7240)

Tags

Sightings

Nomenclature