cnvd - cnvd-2017-22829

CNVD-2017-22829

Vulnerability from cnvd - Published: 2017-08-25

Title

ALC WebCTRL i-Vu/SiteScan Web路径遍历漏洞

Description

ALC WebCTRL是建筑自动化平台。 ALC WebCTRL, i-Vu, SiteScan Web 6.5及之前版本存在安全漏洞，允许经身份验证的用户复写用于执行代码的文件。

Severity

高

Patch Name

ALC WebCTRL i-Vu/SiteScan Web路径遍历漏洞的补丁

Patch Description

ALC WebCTRL是建筑自动化平台。 ALC WebCTRL, i-Vu, SiteScan Web 6.5及之前版本存在安全漏洞，允许经身份验证的用户复写用于执行代码的文件。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： http://www.automatedlogic.com/Pages/Security.aspx

Reference

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9640

Impacted products

Name
['IBM Automated Logic Corporation SiteScan Web <= 6.5', 'Automated Logic Corporation ALC WebCTRL，i-Vu <=6.0', 'Automated Logic Corporation ALC WebCTRL，SiteScan Web <=6.1', 'Automated Logic Corporation SiteScan Web，i-Vu，ALC WebCTRL <=6.5', 'Automated Logic Corporation SiteScan Web，i-Vu，ALC WebCTRL <=5.5', 'Automated Logic Corporation SiteScan Web，i-Vu，ALC WebCTRL <=5.2']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-9640"
    }
  },
  "description": "ALC WebCTRL\u662f\u5efa\u7b51\u81ea\u52a8\u5316\u5e73\u53f0\u3002\r\n\r\nALC WebCTRL, i-Vu, SiteScan Web 6.5\u53ca\u4e4b\u524d\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u5141\u8bb8\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u7528\u6237\u590d\u5199\u7528\u4e8e\u6267\u884c\u4ee3\u7801\u7684\u6587\u4ef6\u3002",
  "discovererName": "Gjoko Krstic \uff08liquidworm@gmail.com\uff09",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\nhttp://www.automatedlogic.com/Pages/Security.aspx",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-22829",
  "openTime": "2017-08-25",
  "patchDescription": "ALC WebCTRL\u662f\u5efa\u7b51\u81ea\u52a8\u5316\u5e73\u53f0\u3002\r\n\r\nALC WebCTRL, i-Vu, SiteScan Web 6.5\u53ca\u4e4b\u524d\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u5141\u8bb8\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u7528\u6237\u590d\u5199\u7528\u4e8e\u6267\u884c\u4ee3\u7801\u7684\u6587\u4ef6\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "ALC WebCTRL i-Vu/SiteScan Web\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "IBM Automated Logic Corporation SiteScan Web \u003c= 6.5",
      "Automated Logic Corporation ALC WebCTRL\uff0ci-Vu \u003c=6.0",
      "Automated Logic Corporation ALC WebCTRL\uff0cSiteScan Web \u003c=6.1",
      "Automated Logic Corporation SiteScan Web\uff0ci-Vu\uff0cALC WebCTRL \u003c=6.5",
      "Automated Logic Corporation SiteScan Web\uff0ci-Vu\uff0cALC WebCTRL  \u003c=5.5",
      "Automated Logic Corporation SiteScan Web\uff0ci-Vu\uff0cALC WebCTRL  \u003c=5.2"
    ]
  },
  "referenceLink": "http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9640",
  "serverity": "\u9ad8",
  "submitTime": "2017-08-24",
  "title": "ALC WebCTRL i-Vu/SiteScan Web\u8def\u5f84\u904d\u5386\u6f0f\u6d1e"
}

CVE-2017-9640 (GCVE-0-2017-9640)

Vulnerability from cvelistv5 – Published: 2017-08-25 19:00 – Updated: 2024-08-05 17:11

Summary

A Path Traversal issue was discovered in Automated Logic Corporation (ALC) ALC WebCTRL, i-Vu, SiteScan Web prior to 6.5; ALC WebCTRL, SiteScan Web 6.1 and prior; ALC WebCTRL, i-Vu 6.0 and prior; ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior; and ALC WebCTRL, i-Vu, SiteScan Web 5.2 and prior. An authenticated attacker may be able to overwrite files that are used to execute code. This vulnerability does not affect version 6.5 of the software.

Severity ?

No CVSS data available.

CWE

CWE-22

Assigner

icscert

References

URL

Tags

	http://www.securityfocus.com/bid/100452	vdb-entryx_refsource_BID
	https://www.exploit-db.com/exploits/42543/	exploitx_refsource_EXPLOIT-DB
	https://ics-cert.us-cert.gov/advisories/ICSA-17-234-01	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	n/a	Automated Logic Corporation WebCTRL, i-VU, SiteScan	Affected: Automated Logic Corporation WebCTRL, i-VU, SiteScan

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T17:11:02.350Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "100452",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/100452"
          },
          {
            "name": "42543",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/42543/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-234-01"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Automated Logic Corporation WebCTRL, i-VU, SiteScan",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Automated Logic Corporation WebCTRL, i-VU, SiteScan"
            }
          ]
        }
      ],
      "datePublic": "2017-08-25T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A Path Traversal issue was discovered in Automated Logic Corporation (ALC) ALC WebCTRL, i-Vu, SiteScan Web prior to 6.5; ALC WebCTRL, SiteScan Web 6.1 and prior; ALC WebCTRL, i-Vu 6.0 and prior; ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior; and ALC WebCTRL, i-Vu, SiteScan Web 5.2 and prior. An authenticated attacker may be able to overwrite files that are used to execute code. This vulnerability does not affect version 6.5 of the software."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-09-06T09:57:02",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "name": "100452",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/100452"
        },
        {
          "name": "42543",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/42543/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-234-01"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2017-9640",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Automated Logic Corporation WebCTRL, i-VU, SiteScan",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Automated Logic Corporation WebCTRL, i-VU, SiteScan"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A Path Traversal issue was discovered in Automated Logic Corporation (ALC) ALC WebCTRL, i-Vu, SiteScan Web prior to 6.5; ALC WebCTRL, SiteScan Web 6.1 and prior; ALC WebCTRL, i-Vu 6.0 and prior; ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior; and ALC WebCTRL, i-Vu, SiteScan Web 5.2 and prior. An authenticated attacker may be able to overwrite files that are used to execute code. This vulnerability does not affect version 6.5 of the software."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-22"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "100452",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/100452"
            },
            {
              "name": "42543",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/42543/"
            },
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSA-17-234-01",
              "refsource": "MISC",
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-234-01"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2017-9640",
    "datePublished": "2017-08-25T19:00:00",
    "dateReserved": "2017-06-14T00:00:00",
    "dateUpdated": "2024-08-05T17:11:02.350Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2017-22829

CVE-2017-9640 (GCVE-0-2017-9640)

Tags

Sightings

Nomenclature