#VU8716 Directory traversal in Cisco License Manager
Vulnerability identifier: #VU8716
Vulnerability risk: Low
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID:
CWE-ID:
CWE-22
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Cisco License Manager
Client/Desktop applications /
Other client software
Vendor: Cisco Systems, Inc
Description
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists in the web interface of Cisco License Manager software due to improper sanitization of user-supplied input in HTTP request parameters that describe filenames. A remote attacker can use directory traversal techniques to submit a path to a desired file location and view application files which may contain sensitive information.
Successful exploitation of the vulnerability results in information disclosure.
Mitigation
No release planned to fix this bug.
Vulnerable software versions
Cisco License Manager: 3.2.6
External links
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-clm
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
