Lucene search

[email protected]CVE-2017-14706

HistoryOct 03, 2022 - 4:23 p.m.

CVE-2017-14706

2022-10-0316:23:39

CWE-287

[email protected]

web.nvd.nist.gov

cve-2017-14706

denyall waf

authentication bypass

unauthenticated

remote attack

information disclosure

security vulnerability

nvd

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.4 High

AI Score

Confidence

High

0.752 High

EPSS

Percentile

98.2%

JSON

DenyAll WAF before 6.4.1 allows unauthenticated remote attackers to obtain authentication information by making a typeOf=debug request to /webservices/download/index.php, and then reading the iToken field in the reply. This affects DenyAll i-Suite LTS 5.5.0 through 5.5.12, i-Suite 5.6, Web Application Firewall 5.7, and Web Application Firewall 6.x before 6.4.1, with On Premises or AWS/Azure cloud deployments.

Affected configurations

NVD

Node

denyalli-suiteMatch5.5.0lts

denyalli-suiteMatch5.5.9lts

denyalli-suiteMatch5.5.10lts

denyalli-suiteMatch5.5.11lts

denyalli-suiteMatch5.5.12lts

denyalli-suiteMatch5.6.0lts

denyallweb_application_firewallMatch5.7.0

denyallweb_application_firewallMatch6.0.0

denyallweb_application_firewallMatch6.1.0

denyallweb_application_firewallMatch6.2.0

denyallweb_application_firewallMatch6.3.0

denyallweb_application_firewallMatch6.4.0

CPENameOperatorVersion
denyall:i-suitedenyall i-suiteeq5.5.0
denyall:i-suitedenyall i-suiteeq5.5.9
denyall:i-suitedenyall i-suiteeq5.5.10
denyall:i-suitedenyall i-suiteeq5.5.11
denyall:i-suitedenyall i-suiteeq5.5.12
denyall:i-suitedenyall i-suiteeq5.6.0
denyall:web_application_firewalldenyall web application firewalleq5.7.0
denyall:web_application_firewalldenyall web application firewalleq6.0.0
denyall:web_application_firewalldenyall web application firewalleq6.1.0
denyall:web_application_firewalldenyall web application firewalleq6.2.0

CPE	Name	Operator	Version
denyall:i-suite	denyall i-suite	eq	5.5.0
denyall:i-suite	denyall i-suite	eq	5.5.9
denyall:i-suite	denyall i-suite	eq	5.5.10
denyall:i-suite	denyall i-suite	eq	5.5.11
denyall:i-suite	denyall i-suite	eq	5.5.12
denyall:i-suite	denyall i-suite	eq	5.6.0
denyall:web_application_firewall	denyall web application firewall	eq	5.7.0
denyall:web_application_firewall	denyall web application firewall	eq	6.0.0
denyall:web_application_firewall	denyall web application firewall	eq	6.1.0
denyall:web_application_firewall	denyall web application firewall	eq	6.2.0

Rows per page:

1-10 of 121

References

github.com/rapid7/metasploit-framework/pull/8980

pentest.blog/advisory-denyall-web-application-firewall-unauthenticated-remote-code-execution/

www.denyall.com/blog/advisories/advisory-unauthenticated-remote-code-execution-denyall-web-application-firewall/

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.4 High

AI Score

Confidence

High

0.752 High

EPSS

Percentile

98.2%

JSON

Related for CVE-2017-14706

cvelist2 checkpoint_advisories1 prion2 nvd2 cve1