CVE-2017-5255

{"id": "CVE-2017-5255", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 9.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "authentication": "SINGLE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2017-12-20T22:29:00.353", "references": [{"url": "https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities/", "tags": ["Third Party Advisory"], "source": "cve@rapid7.con"}, {"url": "https://www.exploit-db.com/exploits/43413/", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cve@rapid7.con"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-78"}]}, {"type": "Secondary", "source": "cve@rapid7.con", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "In version 3.5 and prior of Cambium Networks ePMP firmware, a lack of input sanitation for certain parameters on the web management console allows any authenticated user (including the otherwise low-privilege readonly user) to inject shell meta-characters as part of a specially-crafted POST request to the get_chart function and run OS-level commands, effectively as root."}, {"lang": "es", "value": "En versiones de firmware 3.5 y anteriores de Cambium Networks ePMP, la falta de saneamiento de valores de entrada para determinados par\u00e1metros en la consola de gesti\u00f3n web permite que cualquier usuario autenticado (incluyendo el usuario de privilegios bajos readonly) inyecte metacaracteres shell como parte de una petici\u00f3n POST especialmente manipulada en la funci\u00f3n get_chart y ejecute comandos a nivel de sistema operativo de manera efectiva como root."}], "lastModified": "2019-10-09T23:28:15.997", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:cambiumnetworks:epmp_1000_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C34AD2DB-DB83-4A97-9754-4EED41AB7738", "versionEndIncluding": "3.5"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:cambiumnetworks:epmp_1000:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "E1DBFE3B-C808-4CE0-A100-860EC50EFED0"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:cambiumnetworks:epmp_2000_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EAB69F4D-5CE6-4ED9-A93C-F79FEB0EE6A4", "versionEndIncluding": "3.5"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:cambiumnetworks:epmp_2000:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "4DD13A30-1185-4F9F-BE71-54520BC857BA"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@rapid7.con"}