CVE-2017-11395

Command injection vulnerability in Trend Micro Smart Protection Server (Standalone) 3.1 and 3.2 server administration UI allows attackers with authenticated access to execute arbitrary code on vulnerable installations.

CVSS v3 8.8 HIGH
CVSS v2.0 6.5 MEDIUM

8.8^/10

CVSS v3 : HIGH

Vector : AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.coresecurity.com/advisories/trend-micro-smart-protection-os-command-injection	Exploit Third Party Advisory
http://www.securityfocus.com/bid/100461	Third Party Advisory VDB Entry
https://success.trendmicro.com/solution/1117933	Mitigation Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:trendmicro:smart_protection_server:3.1:::::::*
	cpe:2.3:a:trendmicro:smart_protection_server:3.2:::::::*

History

No history.

Information

Published : 2017-09-22 16:29

Updated : 2023-12-10 12:15

NVD link : CVE-2017-11395

Mitre link : CVE-2017-11395

CVE.ORG link : CVE-2017-11395

JSON object : View

Products Affected

trendmicro

smart_protection_server

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2017-11395", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2017-09-22T16:29:00.197", "references": [{"url": "http://www.coresecurity.com/advisories/trend-micro-smart-protection-os-command-injection", "tags": ["Exploit", "Third Party Advisory"], "source": "security@trendmicro.com"}, {"url": "http://www.securityfocus.com/bid/100461", "tags": ["Third Party Advisory", "VDB Entry"], "source": "security@trendmicro.com"}, {"url": "https://success.trendmicro.com/solution/1117933", "tags": ["Mitigation", "Patch", "Vendor Advisory"], "source": "security@trendmicro.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "Command injection vulnerability in Trend Micro Smart Protection Server (Standalone) 3.1 and 3.2 server administration UI allows attackers with authenticated access to execute arbitrary code on vulnerable installations."}, {"lang": "es", "value": "Una vulnerabilidad de inyecci\u00f3n de comandos en la interfaz de usuario de administraci\u00f3n del servidor Trend Micro Smart Protection Server (Standalone) en sus versiones 3.1 y 3.2 permite que los atacantes con acceso autenticado ejecuten c\u00f3digo arbitrario en instalaciones vulnerables."}], "lastModified": "2019-10-03T00:03:26.223", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:trendmicro:smart_protection_server:3.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CB62FC55-4EA1-485E-9381-C14BA2F1E074"}, {"criteria": "cpe:2.3:a:trendmicro:smart_protection_server:3.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4157366A-854E-4993-B08B-FAF7EA4D9ED2"}], "operator": "OR"}]}], "sourceIdentifier": "security@trendmicro.com"}