Lucene search

MitreCVE-2017-12785

HistoryAug 22, 2017 - 5:29 p.m.

CVE-2017-12785

2017-08-2217:29:00

CWE-119

mitre

web.nvd.nist.gov

cve-2017-12785

novish cli

noviware

nw400.2.6

noviswitch

buffer overflow

root code execution

command injection

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.002

Percentile

59.7%

JSON

The novish command-line interface, included in the NoviWare software distribution through NW400.2.6 and deployed on NoviSwitch devices, is prone to a buffer overflow in the “show log cli” command. This could be used by a read-only user (monitor role) to gain privileged (root) code execution on the switch via command injection.

Affected configurations

Nvd

Node

noviflownoviwareRange≤400.2.6

VendorProductVersionCPE
noviflownoviware*cpe:2.3:a:noviflow:noviware:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
noviflow	noviware	*	cpe:2.3:a:noviflow:noviware::::::::

References

www.exploit-db.com/exploits/42518/

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.002

Percentile

59.7%

JSON

Related for CVE-2017-12785