cvelistv5 - cve-2017-6042

CVE-2017-6042 (GCVE-0-2017-6042)

Vulnerability from cvelistv5 – Published: 2017-06-30 02:35 – Updated: 2024-08-05 15:18

Summary

Severity ?

No CVSS data available.

CWE

CWE-352

Assigner

icscert

References

URL

	Vendor	Product	Version
	n/a	Sierra Wireless AirLink Raven XE and XT	Affected: Sierra Wireless AirLink Raven XE and XT

ICSA-17-115-02

Vulnerability from csaf_cisa - Published: 2017-04-25 00:00 - Updated: 2017-04-25 00:00

Summary

Sierra Wireless AirLink Raven XE and XT

Notes

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.

Risk evaluation

ATTENTION: Remotely exploitable/low skill level to exploit. Public exploits are available.

Countries/areas deployed

Worldwide

Company headquarters location

British Columbia, Canada

Recommended Practices

NCCIC/ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Recommended Practices

ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Recommended Practices

ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Recommended Practices

Additional mitigation guidance and recommended practices are publicly available in the ICS -CERT Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site.

Recommended Practices

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

Exploitability

No known public exploits specifically target these vulnerabilities.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Karn Ganeshen"
        ],
        "summary": "identifying and publicly released vulnerabilities in the Sierra Wireless AirLink Raven XE and XT Gateways prior to coordinating with ICS-CERT; however, the researcher did initially coordinate the identifying vulnerabilities with the vendor"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "summary",
        "text": "ATTENTION: Remotely exploitable/low skill level to exploit. Public exploits are available.",
        "title": "Risk evaluation"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries/areas deployed"
      },
      {
        "category": "other",
        "text": "British Columbia, Canada",
        "title": "Company headquarters location"
      },
      {
        "category": "general",
        "text": "NCCIC/ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available in the ICS -CERT Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "other",
        "text": "No known public exploits specifically target these vulnerabilities.",
        "title": "Exploitability"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-17-115-02 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2017/icsa-17-115-02.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-17-115-02 Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-17-115-02"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-17-115-02"
      }
    ],
    "title": "Sierra Wireless AirLink Raven XE and XT",
    "tracking": {
      "current_release_date": "2017-04-25T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSA-17-115-02",
      "initial_release_date": "2017-04-25T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2017-04-25T00:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "ICSA-17-115-02 Sierra Wireless AirLink Raven XE and XT"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c 4.0.11",
                "product": {
                  "name": "AirLink Raven XT: all versions prior to 4.0.11",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "AirLink Raven XT"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c 4.0.14",
                "product": {
                  "name": "AirLink Raven XE: all versions prior to 4.0.14",
                  "product_id": "CSAFPID-0002"
                }
              }
            ],
            "category": "product_name",
            "name": "AirLink Raven XE"
          }
        ],
        "category": "vendor",
        "name": "Sierra Wireless"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2017-6044",
      "cwe": {
        "id": "CWE-285",
        "name": "Improper Authorization"
      },
      "notes": [
        {
          "category": "summary",
          "text": "Several files and directories can be accessed without authentication, which may allow a remote attacker to perform sensitive functions including arbitrary file upload, file download, and device reboot.CVE-2017-6044 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6044"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Sierra Wireless has released new firmware versions to address the forced browsing and cross-site request forgery vulnerabilities. Sierra Wireless reports that the insufficiently protected credentials vulnerability will not be addressed.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        },
        {
          "category": "mitigation",
          "details": "Sierra Wireless\u0027s Raven XE firmware Version 4.0.14",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ],
          "url": "https://source.sierrawireless.com/resources/airlink/software_downloads/nucaleos/raven-xe-firmware-list/"
        },
        {
          "category": "mitigation",
          "details": "Sierra Wireless\u0027s Raven XT firmware Version 4.0.11",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ],
          "url": "https://source.sierrawireless.com/resources/airlink/software_downloads/nucaleos/raven-xt-firmware-list/"
        },
        {
          "category": "mitigation",
          "details": "Sierra Wireless has released a Technical Bulletin",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ],
          "url": "https://source.sierrawireless.com/resources/airlink/software_reference_docs/raven-ics-alert-16-182-01/"
        },
        {
          "category": "mitigation",
          "details": "For additional information about these vulnerabilities or the recommendations provided, please contact Sierra Wireless\u0027 security team at security@sierrawireless.com",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 10.0,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2017-6042",
      "cwe": {
        "id": "CWE-352",
        "name": "Cross-Site Request Forgery (CSRF)"
      },
      "notes": [
        {
          "category": "summary",
          "text": "Affected devices do not verify if a request was intentionally sent by the logged-in user, which may allow an attacker to trick a client into making an unintentional request to the web server that will be treated as an authentic request.CVE-2017-6042 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6042"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Sierra Wireless has released new firmware versions to address the forced browsing and cross-site request forgery vulnerabilities. Sierra Wireless reports that the insufficiently protected credentials vulnerability will not be addressed.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        },
        {
          "category": "mitigation",
          "details": "Sierra Wireless\u0027s Raven XE firmware Version 4.0.14",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ],
          "url": "https://source.sierrawireless.com/resources/airlink/software_downloads/nucaleos/raven-xe-firmware-list/"
        },
        {
          "category": "mitigation",
          "details": "Sierra Wireless\u0027s Raven XT firmware Version 4.0.11",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ],
          "url": "https://source.sierrawireless.com/resources/airlink/software_downloads/nucaleos/raven-xt-firmware-list/"
        },
        {
          "category": "mitigation",
          "details": "Sierra Wireless has released a Technical Bulletin",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ],
          "url": "https://source.sierrawireless.com/resources/airlink/software_reference_docs/raven-ics-alert-16-182-01/"
        },
        {
          "category": "mitigation",
          "details": "For additional information about these vulnerabilities or the recommendations provided, please contact Sierra Wireless\u0027 security team at security@sierrawireless.com",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2017-6046",
      "cwe": {
        "id": "CWE-522",
        "name": "Insufficiently Protected Credentials"
      },
      "notes": [
        {
          "category": "summary",
          "text": "Sensitive information is insufficiently protected during transmission and vulnerable to sniffing, which could lead to information disclosure.CVE-2017-6046 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6046"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Sierra Wireless has released new firmware versions to address the forced browsing and cross-site request forgery vulnerabilities. Sierra Wireless reports that the insufficiently protected credentials vulnerability will not be addressed.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        },
        {
          "category": "mitigation",
          "details": "Sierra Wireless\u0027s Raven XE firmware Version 4.0.14",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ],
          "url": "https://source.sierrawireless.com/resources/airlink/software_downloads/nucaleos/raven-xe-firmware-list/"
        },
        {
          "category": "mitigation",
          "details": "Sierra Wireless\u0027s Raven XT firmware Version 4.0.11",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ],
          "url": "https://source.sierrawireless.com/resources/airlink/software_downloads/nucaleos/raven-xt-firmware-list/"
        },
        {
          "category": "mitigation",
          "details": "Sierra Wireless has released a Technical Bulletin",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ],
          "url": "https://source.sierrawireless.com/resources/airlink/software_reference_docs/raven-ics-alert-16-182-01/"
        },
        {
          "category": "mitigation",
          "details": "For additional information about these vulnerabilities or the recommendations provided, please contact Sierra Wireless\u0027 security team at security@sierrawireless.com",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        }
      ]
    }
  ]
}

GSD-2017-6042

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2017-6042

Aliases

CVE-2017-6042

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2017-6042",
    "description": "A Cross-Site Request Forgery issue was discovered in Sierra Wireless AirLink Raven XE, all versions prior to 4.0.14, and AirLink Raven XT, all versions prior to 4.0.11. Affected devices do not verify if a request was intentionally sent by the logged-in user, which may allow an attacker to trick a client into making an unintentional request to the web server that will be treated as an authentic request.",
    "id": "GSD-2017-6042"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2017-6042"
      ],
      "details": "A Cross-Site Request Forgery issue was discovered in Sierra Wireless AirLink Raven XE, all versions prior to 4.0.14, and AirLink Raven XT, all versions prior to 4.0.11. Affected devices do not verify if a request was intentionally sent by the logged-in user, which may allow an attacker to trick a client into making an unintentional request to the web server that will be treated as an authentic request.",
      "id": "GSD-2017-6042",
      "modified": "2023-12-13T01:21:10.185003Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "ics-cert@hq.dhs.gov",
        "ID": "CVE-2017-6042",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Sierra Wireless AirLink Raven XE and XT",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "Sierra Wireless AirLink Raven XE and XT"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A Cross-Site Request Forgery issue was discovered in Sierra Wireless AirLink Raven XE, all versions prior to 4.0.14, and AirLink Raven XT, all versions prior to 4.0.11. Affected devices do not verify if a request was intentionally sent by the logged-in user, which may allow an attacker to trick a client into making an unintentional request to the web server that will be treated as an authentic request."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-352"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://ics-cert.us-cert.gov/advisories/ICSA-17-115-02",
            "refsource": "MISC",
            "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-115-02"
          },
          {
            "name": "98036",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/98036"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:sierra_wireless:airlink_raven_xe_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "-",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:sierra_wireless:airlink_raven_xe:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:sierra_wireless:airlink_raven_xt_firmware:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:sierra_wireless:airlink_raven_xt:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2017-6042"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A Cross-Site Request Forgery issue was discovered in Sierra Wireless AirLink Raven XE, all versions prior to 4.0.14, and AirLink Raven XT, all versions prior to 4.0.11. Affected devices do not verify if a request was intentionally sent by the logged-in user, which may allow an attacker to trick a client into making an unintentional request to the web server that will be treated as an authentic request."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-352"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSA-17-115-02",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory",
                "US Government Resource",
                "VDB Entry"
              ],
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-115-02"
            },
            {
              "name": "98036",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/98036"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2019-10-09T23:28Z",
      "publishedDate": "2017-06-30T03:29Z"
    }
  }
}

GHSA-WP73-M8WC-M2MM

Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36

Details

Severity ?

8.8 (High)


                  
                    CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2017-6042"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-30T03:29:00Z",
    "severity": "HIGH"
  },
  "details": "A Cross-Site Request Forgery issue was discovered in Sierra Wireless AirLink Raven XE, all versions prior to 4.0.14, and AirLink Raven XT, all versions prior to 4.0.11. Affected devices do not verify if a request was intentionally sent by the logged-in user, which may allow an attacker to trick a client into making an unintentional request to the web server that will be treated as an authentic request.",
  "id": "GHSA-wp73-m8wc-m2mm",
  "modified": "2022-05-13T01:36:34Z",
  "published": "2022-05-13T01:36:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6042"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-115-02"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/98036"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

CNVD-2017-06451

Vulnerability from cnvd - Published: 2017-05-14

Title

Sierra Wireless AirLink Raven XE和XT跨站请求伪造漏洞

Description

Sierra Wireless AirLink Raven XE和XT都是加拿大Sierra Wireless公司的无线网关产品。 Sierra Wireless AirLink Raven XE和XT中存在跨站请求伪造漏洞，由于程序未能验证请求是否来自登录用户。远程攻击者可利用该漏洞执行未授权的操作。

Severity

中

Patch Name

Sierra Wireless AirLink Raven XE和XT跨站请求伪造漏洞的补丁

Patch Description

Sierra Wireless AirLink Raven XE和XT都是加拿大Sierra Wireless公司的无线网关产品。 Sierra Wireless AirLink Raven XE和XT中存在跨站请求伪造漏洞，由于程序未能验证请求是否来自登录用户。远程攻击者可利用该漏洞执行未授权的操作。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： https://source.sierrawireless.com/resources/airlink/software_reference_docs/raven-ics-alert-16-182-01/

Reference

http://www.securityfocus.com/bid/98036

Impacted products

Name
['Sierra Wireless AirLink Raven XE', 'Sierra Wireless AirLink Raven XT <4.0.11']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "98036"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-6042"
    }
  },
  "description": "Sierra Wireless AirLink Raven XE\u548cXT\u90fd\u662f\u52a0\u62ff\u5927Sierra Wireless\u516c\u53f8\u7684\u65e0\u7ebf\u7f51\u5173\u4ea7\u54c1\u3002\r\n\r\nSierra Wireless AirLink Raven XE\u548cXT\u4e2d\u5b58\u5728\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\uff0c\u7531\u4e8e\u7a0b\u5e8f\u672a\u80fd\u9a8c\u8bc1\u8bf7\u6c42\u662f\u5426\u6765\u81ea\u767b\u5f55\u7528\u6237\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u672a\u6388\u6743\u7684\u64cd\u4f5c\u3002",
  "discovererName": "Sierra Wireless",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a      https://source.sierrawireless.com/resources/airlink/software_reference_docs/raven-ics-alert-16-182-01/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-06451",
  "openTime": "2017-05-14",
  "patchDescription": "Sierra Wireless AirLink Raven XE\u548cXT\u90fd\u662f\u52a0\u62ff\u5927Sierra Wireless\u516c\u53f8\u7684\u65e0\u7ebf\u7f51\u5173\u4ea7\u54c1\u3002\r\n\r\nSierra Wireless AirLink Raven XE\u548cXT\u4e2d\u5b58\u5728\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\uff0c\u7531\u4e8e\u7a0b\u5e8f\u672a\u80fd\u9a8c\u8bc1\u8bf7\u6c42\u662f\u5426\u6765\u81ea\u767b\u5f55\u7528\u6237\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u672a\u6388\u6743\u7684\u64cd\u4f5c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Sierra Wireless AirLink Raven XE\u548cXT\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Sierra Wireless AirLink Raven XE",
      "Sierra Wireless AirLink Raven XT \u003c4.0.11"
    ]
  },
  "referenceLink": "http://www.securityfocus.com/bid/98036",
  "serverity": "\u4e2d",
  "submitTime": "2017-05-09",
  "title": "Sierra Wireless AirLink Raven XE\u548cXT\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e"
}

FKIE_CVE-2017-6042

Vulnerability from fkie_nvd - Published: 2017-06-30 03:29 - Updated: 2025-04-20 01:37

Severity ?

8.8 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
ics-cert@hq.dhs.gov	http://www.securityfocus.com/bid/98036	Third Party Advisory, VDB Entry
ics-cert@hq.dhs.gov	https://ics-cert.us-cert.gov/advisories/ICSA-17-115-02	Third Party Advisory, US Government Resource, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/98036	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://ics-cert.us-cert.gov/advisories/ICSA-17-115-02	Third Party Advisory, US Government Resource, VDB Entry

Impacted products

Vendor	Product	Version
sierra_wireless	airlink_raven_xe_firmware	*
sierra_wireless	airlink_raven_xe	-
sierra_wireless	airlink_raven_xt_firmware	-
sierra_wireless	airlink_raven_xt	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:sierra_wireless:airlink_raven_xe_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BBD39D07-982E-4B1A-910C-76190E77665C",
              "versionEndIncluding": "-",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:sierra_wireless:airlink_raven_xe:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F96F360C-3F60-462E-92A3-EE44E3624CCE",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:sierra_wireless:airlink_raven_xt_firmware:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "3AF87F04-D3EC-49B7-BDD7-9FCE2324B051",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:sierra_wireless:airlink_raven_xt:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "4D81786F-6C77-42F1-ADDF-594B8D53584F",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A Cross-Site Request Forgery issue was discovered in Sierra Wireless AirLink Raven XE, all versions prior to 4.0.14, and AirLink Raven XT, all versions prior to 4.0.11. Affected devices do not verify if a request was intentionally sent by the logged-in user, which may allow an attacker to trick a client into making an unintentional request to the web server that will be treated as an authentic request."
    },
    {
      "lang": "es",
      "value": "Se ha descubierto un problema de Cross-Site Request Forgery (CSRF) en Sierra Wireless AirLink Raven XE, en todas las versiones anteriores a la 4.0.14, y en AirLink Raven XT, en todas las versiones anteriores a la 4.0.11. Los dispositivos afectados no verifican si una petici\u00f3n fue intencionadamente enviada por el usuario que ha iniciado sesi\u00f3n, lo que podr\u00eda permitir que un atacante enga\u00f1e a un cliente para que realice una petici\u00f3n no intencionada al servidor web que ser\u00e1 tratada como petici\u00f3n aut\u00e9ntica."
    }
  ],
  "id": "CVE-2017-6042",
  "lastModified": "2025-04-20T01:37:25.860",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2017-06-30T03:29:00.593",
  "references": [
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/98036"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Third Party Advisory",
        "US Government Resource",
        "VDB Entry"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-115-02"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/98036"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "US Government Resource",
        "VDB Entry"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-115-02"
    }
  ],
  "sourceIdentifier": "ics-cert@hq.dhs.gov",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "ics-cert@hq.dhs.gov",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

VAR-201706-0466

Vulnerability from variot - Updated: 2023-12-18 12:03

A Cross-Site Request Forgery issue was discovered in Sierra Wireless AirLink Raven XE, all versions prior to 4.0.14, and AirLink Raven XT, all versions prior to 4.0.11. Affected devices do not verify if a request was intentionally sent by the logged-in user, which may allow an attacker to trick a client into making an unintentional request to the web server that will be treated as an authentic request. SierraWirelessAirLinkRavenXE and XT are wireless gateway products from Sierra Wireless, Canada. A cross-site request forgery vulnerability exists in SierraWirelessAirLinkRavenXE and XT because the program failed to verify that the request came from a logged in user. A remote attacker could exploit this vulnerability to perform unauthorized operations. Other attacks are also possible

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201706-0466",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "airlink raven xt",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "sierra",
        "version": null
      },
      {
        "model": "airlink raven xe",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "sierra",
        "version": null
      },
      {
        "model": "airlink raven xe",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "sierra",
        "version": "4.0.14"
      },
      {
        "model": "airlink raven xt",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "sierra",
        "version": "4.0.11"
      },
      {
        "model": "wireless airlink raven xe",
        "scope": null,
        "trust": 0.6,
        "vendor": "sierra",
        "version": null
      },
      {
        "model": "wireless airlink raven xt",
        "scope": "lt",
        "trust": 0.6,
        "vendor": "sierra",
        "version": "4.0.11"
      },
      {
        "model": "airlink raven xe",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "sierra",
        "version": null
      },
      {
        "model": "wireless airlink raven xt",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "sierra",
        "version": "0"
      },
      {
        "model": "wireless airlink raven xe",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "sierra",
        "version": "0"
      },
      {
        "model": "wireless airlink raven xt",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "sierra",
        "version": "4.0.11"
      },
      {
        "model": "wireless airlink raven xe",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "sierra",
        "version": "4.0.14"
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 0.2,
        "vendor": "airlink raven xe",
        "version": "*"
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 0.2,
        "vendor": "airlink raven xt",
        "version": null
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "a9cdf060-16a9-4232-9523-14f306451840"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-06451"
      },
      {
        "db": "BID",
        "id": "98036"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-005260"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-6042"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201704-1501"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:sierra_wireless:airlink_raven_xe_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "-",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:sierra_wireless:airlink_raven_xe:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:sierra_wireless:airlink_raven_xt_firmware:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:sierra_wireless:airlink_raven_xt:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2017-6042"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Karn Ganeshen.",
    "sources": [
      {
        "db": "BID",
        "id": "98036"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201704-1501"
      }
    ],
    "trust": 0.9
  },
  "cve": "CVE-2017-6042",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 8.6,
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "MEDIUM",
            "trust": 1.0,
            "userInteractionRequired": true,
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Medium",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "Partial",
            "baseScore": 6.8,
            "confidentialityImpact": "Partial",
            "exploitabilityScore": null,
            "id": "CVE-2017-6042",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Medium",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 10.0,
            "id": "CNVD-2017-06451",
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "IVD",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 10.0,
            "id": "a9cdf060-16a9-4232-9523-14f306451840",
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.2,
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
            "version": "2.9 [IVD]"
          },
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 8.6,
            "id": "VHN-114245",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.1,
            "vectorString": "AV:N/AC:M/AU:N/C:P/I:P/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 2.8,
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 8.8,
            "baseSeverity": "High",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "CVE-2017-6042",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "Required",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2017-6042",
            "trust": 1.8,
            "value": "HIGH"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2017-06451",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201704-1501",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "IVD",
            "id": "a9cdf060-16a9-4232-9523-14f306451840",
            "trust": 0.2,
            "value": "HIGH"
          },
          {
            "author": "VULHUB",
            "id": "VHN-114245",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "a9cdf060-16a9-4232-9523-14f306451840"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-06451"
      },
      {
        "db": "VULHUB",
        "id": "VHN-114245"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-005260"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-6042"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201704-1501"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "A Cross-Site Request Forgery issue was discovered in Sierra Wireless AirLink Raven XE, all versions prior to 4.0.14, and AirLink Raven XT, all versions prior to 4.0.11. Affected devices do not verify if a request was intentionally sent by the logged-in user, which may allow an attacker to trick a client into making an unintentional request to the web server that will be treated as an authentic request. SierraWirelessAirLinkRavenXE and XT are wireless gateway products from Sierra Wireless, Canada. A cross-site request forgery vulnerability exists in SierraWirelessAirLinkRavenXE and XT because the program failed to verify that the request came from a logged in user. A remote attacker could exploit this vulnerability to perform unauthorized operations. Other attacks are also possible",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2017-6042"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-005260"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-06451"
      },
      {
        "db": "BID",
        "id": "98036"
      },
      {
        "db": "IVD",
        "id": "a9cdf060-16a9-4232-9523-14f306451840"
      },
      {
        "db": "VULHUB",
        "id": "VHN-114245"
      }
    ],
    "trust": 2.7
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2017-6042",
        "trust": 3.6
      },
      {
        "db": "ICS CERT",
        "id": "ICSA-17-115-02",
        "trust": 2.8
      },
      {
        "db": "BID",
        "id": "98036",
        "trust": 2.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201704-1501",
        "trust": 0.9
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-06451",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-005260",
        "trust": 0.8
      },
      {
        "db": "IVD",
        "id": "A9CDF060-16A9-4232-9523-14F306451840",
        "trust": 0.2
      },
      {
        "db": "VULHUB",
        "id": "VHN-114245",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "a9cdf060-16a9-4232-9523-14f306451840"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-06451"
      },
      {
        "db": "VULHUB",
        "id": "VHN-114245"
      },
      {
        "db": "BID",
        "id": "98036"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-005260"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-6042"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201704-1501"
      }
    ]
  },
  "id": "VAR-201706-0466",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "IVD",
        "id": "a9cdf060-16a9-4232-9523-14f306451840"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-06451"
      },
      {
        "db": "VULHUB",
        "id": "VHN-114245"
      }
    ],
    "trust": 1.6368421
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "ICS",
          "Network device"
        ],
        "sub_category": null,
        "trust": 0.6
      },
      {
        "category": [
          "ICS"
        ],
        "sub_category": null,
        "trust": 0.2
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "a9cdf060-16a9-4232-9523-14f306451840"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-06451"
      }
    ]
  },
  "last_update_date": "2023-12-18T12:03:57.552000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "AirLink Raven XE",
        "trust": 0.8,
        "url": "https://source.sierrawireless.com/devices/raven-series/raven-xe/"
      },
      {
        "title": "AirLink Raven XT",
        "trust": 0.8,
        "url": "https://source.sierrawireless.com/devices/raven-series/raven-xt/"
      },
      {
        "title": "Patch for SierraWirelessAirLinkRavenXE and XT Cross-Site Request Forgery Vulnerability",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchinfo/show/93570"
      },
      {
        "title": "Sierra Wireless AirLink Raven XE  and XT Fixes for cross-site request forgery vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=69694"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2017-06451"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-005260"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201704-1501"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-352",
        "trust": 1.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-114245"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-005260"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-6042"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.8,
        "url": "https://ics-cert.us-cert.gov/advisories/icsa-17-115-02"
      },
      {
        "trust": 2.3,
        "url": "http://www.securityfocus.com/bid/98036"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-6042"
      },
      {
        "trust": 0.8,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2017-6042"
      },
      {
        "trust": 0.3,
        "url": "http://subscriber.communications.siemens.com/"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2017-06451"
      },
      {
        "db": "VULHUB",
        "id": "VHN-114245"
      },
      {
        "db": "BID",
        "id": "98036"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-005260"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-6042"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201704-1501"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "IVD",
        "id": "a9cdf060-16a9-4232-9523-14f306451840"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-06451"
      },
      {
        "db": "VULHUB",
        "id": "VHN-114245"
      },
      {
        "db": "BID",
        "id": "98036"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-005260"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-6042"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201704-1501"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2017-05-14T00:00:00",
        "db": "IVD",
        "id": "a9cdf060-16a9-4232-9523-14f306451840"
      },
      {
        "date": "2017-05-14T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2017-06451"
      },
      {
        "date": "2017-06-30T00:00:00",
        "db": "VULHUB",
        "id": "VHN-114245"
      },
      {
        "date": "2017-04-25T00:00:00",
        "db": "BID",
        "id": "98036"
      },
      {
        "date": "2017-07-25T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2017-005260"
      },
      {
        "date": "2017-06-30T03:29:00.593000",
        "db": "NVD",
        "id": "CVE-2017-6042"
      },
      {
        "date": "2017-04-28T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201704-1501"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2017-05-14T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2017-06451"
      },
      {
        "date": "2019-10-09T00:00:00",
        "db": "VULHUB",
        "id": "VHN-114245"
      },
      {
        "date": "2017-05-02T01:09:00",
        "db": "BID",
        "id": "98036"
      },
      {
        "date": "2017-07-25T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2017-005260"
      },
      {
        "date": "2019-10-09T23:28:37.467000",
        "db": "NVD",
        "id": "CVE-2017-6042"
      },
      {
        "date": "2019-10-17T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201704-1501"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201704-1501"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Sierra Wireless AirLink Raven XE and XT Cross-Site Request Forgery Vulnerability",
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2017-06451"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201704-1501"
      }
    ],
    "trust": 1.2
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "cross-site request forgery",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201704-1501"
      }
    ],
    "trust": 0.6
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2017-6042 (GCVE-0-2017-6042)

ICSA-17-115-02

GSD-2017-6042

GHSA-WP73-M8WC-M2MM

CNVD-2017-06451

FKIE_CVE-2017-6042

VAR-201706-0466

Tags

Sightings

Nomenclature