Vulnerability-Lookup

CNVD-2017-35396

Vulnerability from cnvd - Published: 2017-11-29

Title

多款EMC产品Webservice Gateway目录遍历漏洞

Description

EMC ViPR SRM等都是美国易安信（EMC）公司的产品。EMC ViPR SRM是一套存储资源管理软件。Storage M&R是一款数据存储收集器。Webservice Gateway是其中的一个网关。多款EMC产品中的Webservice Gateway存在目录遍历漏洞。远程攻击者可通过发送带有目录遍历序列‘../’的请求利用该漏洞未授权访问信息，更改或删除数据。

Severity

中

Patch Name

多款EMC产品Webservice Gateway目录遍历漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，详情请关注厂商主页： http://www.emc.com/

Reference

http://seclists.org/fulldisclosure/2017/Sep/51 http://www.securityfocus.com/bid/100957

Impacted products

Name
['EMC ViPR SRM', 'EMC M&R (Watch4Net) for SAS Solution Packs', 'EMC Storage M&R', 'EMC VNX M&R']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "100957"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-8007"
    }
  },
  "description": "EMC ViPR SRM\u7b49\u90fd\u662f\u7f8e\u56fd\u6613\u5b89\u4fe1\uff08EMC\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002EMC ViPR SRM\u662f\u4e00\u5957\u5b58\u50a8\u8d44\u6e90\u7ba1\u7406\u8f6f\u4ef6\u3002Storage M\u0026R\u662f\u4e00\u6b3e\u6570\u636e\u5b58\u50a8\u6536\u96c6\u5668\u3002Webservice Gateway\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u7f51\u5173\u3002\r\n\r\n\u591a\u6b3eEMC\u4ea7\u54c1\u4e2d\u7684Webservice Gateway\u5b58\u5728\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u53d1\u9001\u5e26\u6709\u76ee\u5f55\u904d\u5386\u5e8f\u5217\u2018../\u2019\u7684\u8bf7\u6c42\u5229\u7528\u8be5\u6f0f\u6d1e\u672a\u6388\u6743\u8bbf\u95ee\u4fe1\u606f\uff0c\u66f4\u6539\u6216\u5220\u9664\u6570\u636e\u3002",
  "discovererName": "rgod working with Trend Micro\u0027s Zero Day Initiative",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttp://www.emc.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-35396",
  "openTime": "2017-11-29",
  "patchDescription": "EMC ViPR SRM\u7b49\u90fd\u662f\u7f8e\u56fd\u6613\u5b89\u4fe1\uff08EMC\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002EMC ViPR SRM\u662f\u4e00\u5957\u5b58\u50a8\u8d44\u6e90\u7ba1\u7406\u8f6f\u4ef6\u3002Storage M\u0026R\u662f\u4e00\u6b3e\u6570\u636e\u5b58\u50a8\u6536\u96c6\u5668\u3002Webservice Gateway\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u7f51\u5173\u3002\r\n\r\n\u591a\u6b3eEMC\u4ea7\u54c1\u4e2d\u7684Webservice Gateway\u5b58\u5728\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u53d1\u9001\u5e26\u6709\u76ee\u5f55\u904d\u5386\u5e8f\u5217\u2018../\u2019\u7684\u8bf7\u6c42\u5229\u7528\u8be5\u6f0f\u6d1e\u672a\u6388\u6743\u8bbf\u95ee\u4fe1\u606f\uff0c\u66f4\u6539\u6216\u5220\u9664\u6570\u636e\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "\u591a\u6b3eEMC\u4ea7\u54c1Webservice Gateway\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "EMC ViPR SRM",
      "EMC M\u0026R (Watch4Net) for SAS Solution Packs",
      "EMC Storage M\u0026R",
      "EMC VNX M\u0026R"
    ]
  },
  "referenceLink": "http://seclists.org/fulldisclosure/2017/Sep/51\r\nhttp://www.securityfocus.com/bid/100957",
  "serverity": "\u4e2d",
  "submitTime": "2017-09-22",
  "title": "\u591a\u6b3eEMC\u4ea7\u54c1Webservice Gateway\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e"
}

CVE-2017-8007 (GCVE-0-2017-8007)

Vulnerability from cvelistv5 – Published: 2017-09-22 01:00 – Updated: 2024-08-05 16:19

Summary

In EMC ViPR SRM, Storage M&R, VNX M&R, and M&R (Watch4Net) for SAS Solution Packs, the Webservice Gateway is affected by a directory traversal vulnerability. Attackers with knowledge of Webservice Gateway credentials could potentially exploit this vulnerability to access unauthorized information, and modify or delete data, by supplying specially crafted strings in input parameters of the web service call.

Severity ?

No CVSS data available.

CWE

Directory Traversal

Assigner

dell

References

URL

Tags

	http://www.securityfocus.com/bid/100957	vdb-entryx_refsource_BID
	http://www.securitytracker.com/id/1039418	vdb-entryx_refsource_SECTRACK
	http://seclists.org/fulldisclosure/2017/Sep/51	x_refsource_CONFIRM
	http://www.securitytracker.com/id/1039417	vdb-entryx_refsource_SECTRACK

Impacted products

	Vendor	Product	Version
	n/a	EMC ViPR SRM, EMC Storage M&R, EMC VNX M&R, EMC M&R (Watch4Net) for SAS Solution Packs	Affected: EMC ViPR SRM, EMC Storage M&R, EMC VNX M&R, EMC M&R (Watch4Net) for SAS Solution Packs

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T16:19:29.489Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "100957",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/100957"
          },
          {
            "name": "1039418",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1039418"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2017/Sep/51"
          },
          {
            "name": "1039417",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1039417"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "EMC ViPR SRM, EMC Storage M\u0026R, EMC VNX M\u0026R, EMC M\u0026R (Watch4Net) for SAS Solution Packs",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "EMC ViPR SRM, EMC Storage M\u0026R, EMC VNX M\u0026R, EMC M\u0026R (Watch4Net) for SAS Solution Packs"
            }
          ]
        }
      ],
      "datePublic": "2017-09-21T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "In EMC ViPR SRM, Storage M\u0026R, VNX M\u0026R, and M\u0026R (Watch4Net) for SAS Solution Packs, the Webservice Gateway is affected by a directory traversal vulnerability. Attackers with knowledge of Webservice Gateway credentials could potentially exploit this vulnerability to access unauthorized information, and modify or delete data, by supplying specially crafted strings in input parameters of the web service call."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Directory Traversal",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-09-23T09:57:01",
        "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "shortName": "dell"
      },
      "references": [
        {
          "name": "100957",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/100957"
        },
        {
          "name": "1039418",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1039418"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://seclists.org/fulldisclosure/2017/Sep/51"
        },
        {
          "name": "1039417",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1039417"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security_alert@emc.com",
          "ID": "CVE-2017-8007",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "EMC ViPR SRM, EMC Storage M\u0026R, EMC VNX M\u0026R, EMC M\u0026R (Watch4Net) for SAS Solution Packs",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "EMC ViPR SRM, EMC Storage M\u0026R, EMC VNX M\u0026R, EMC M\u0026R (Watch4Net) for SAS Solution Packs"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In EMC ViPR SRM, Storage M\u0026R, VNX M\u0026R, and M\u0026R (Watch4Net) for SAS Solution Packs, the Webservice Gateway is affected by a directory traversal vulnerability. Attackers with knowledge of Webservice Gateway credentials could potentially exploit this vulnerability to access unauthorized information, and modify or delete data, by supplying specially crafted strings in input parameters of the web service call."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Directory Traversal"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "100957",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/100957"
            },
            {
              "name": "1039418",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1039418"
            },
            {
              "name": "http://seclists.org/fulldisclosure/2017/Sep/51",
              "refsource": "CONFIRM",
              "url": "http://seclists.org/fulldisclosure/2017/Sep/51"
            },
            {
              "name": "1039417",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1039417"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
    "assignerShortName": "dell",
    "cveId": "CVE-2017-8007",
    "datePublished": "2017-09-22T01:00:00",
    "dateReserved": "2017-04-21T00:00:00",
    "dateUpdated": "2024-08-05T16:19:29.489Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2017-35396

CVE-2017-8007 (GCVE-0-2017-8007)

Tags

Sightings

Nomenclature