[c-nsp] Cisco Security Advisory: Cisco Application-Hosting Framework Directory Traversal Vulnerability

psirt at cisco.com psirt at cisco.com
Wed Mar 22 12:15:13 EDT 2017


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: Cisco Application-Hosting Framework Directory Traversal Vulnerability

Advisory ID: cisco-sa-20170322-caf1

Revision: 1.0

For Public Release: 2017 March 22 16:00 GMT

Last Updated: 2017 March 22 16:00 GMT

CVE ID(s): CVE-2017-3851

CVSS Score v(3): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

+---------------------------------------------------------------------

Summary
=======
A vulnerability in the web framework code of the Cisco application-hosting framework (CAF) component of the Cisco IOx application environment could allow an unauthenticated, remote attacker to read any file from the CAF in the virtual instance running on the affected device.

The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by submitting crafted requests to the CAF web interface. The impacts of a successful exploit are limited to the scope of the virtual instance and do not impact the router that is hosting Cisco IOx.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-caf1 ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-caf1"]

-----BEGIN PGP SIGNATURE-----

iQKBBAEBAgBrBQJY0qL/ZBxDaXNjbyBTeXN0ZW1zIFByb2R1Y3QgU2VjdXJpdHkg
SW5jaWRlbnQgUmVzcG9uc2UgVGVhbSAoQ2lzY28gUFNJUlQga2V5IDIwMTYtMjAx
NykgPHBzaXJ0QGNpc2NvLmNvbT4ACgkQrz2APcQAkHkZhw//bJ6a9EcZ9Ctw2xtk
Q2DzA/5akjoVHhR9bQbpwFsDMGc0Kd/1jukk+RMc6lMNtNznsUsesc5tCZQRjbfF
jMqZzSx/ZWpyJJeOV87WHSbzdLAAoPf0wLOO9ZqqPUGOpdUdOtBDBfj2Dd6GP9N+
iILTReGPp8ZaEW7r30qKRlyu1cK+3nK76QlotNKZHABsmjqUQeN4B6drxj1A4A3s
NtT4EfzTO1CGtL+c2oLkC3BGLQzduh+YFs30lzMDwmp/EGog1c+KwW/gnVpwDWMw
g5P6ynHEjwwnji0v1jJmMNvLUGxw96K1bS6GK/OMG3FK4bQpGXTCyh7ru5+NnJ6H
Bmt27CrAkH2t0HE+5uFZHmV94pzYqRflzbwDHqWEh7uqIk0esrhXMX7BbpwB0uv5
goQ48rO3R4mpStP+w68vwdeiaeHP9O7IqRs8jcW/qEPh1PKbQXBnXpsUZ7E91hLf
tCFDDRJcA7h4dr/cBlUIzpL3H8OfIQXi5iZ93DqZ+SzXdr8hsLln0FIN201c+zP2
byr3UDDahuKJSOr1uG0r5bo/U52KFPWA0CZJ4SO19O/Evhwm1G6y9l32n28kLalq
qclrJbUIFPUWRWb4go8Jty69QFlMpnJt06rEQGdmjliM2pfWrrCDXgmhs0yZSj1g
J2PLCkPUjeLyU6VBu3s8ulh1NKs=
=L7YP
-----END PGP SIGNATURE-----




More information about the cisco-nsp mailing list