CVE-2017-9279

NetIQ Identity Manager before 4.5.6.1 allowed uploading files with double extensions or non-image content in the Themes handling of the User Application Administration, allowing malicious user administrators to potentially execute code or mislead users.

CVSS v3 7.2 HIGH
CVSS v2.0 9.0 HIGH

7.2^/10

CVSS v3 : HIGH

Vector : AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

9.0^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:S/C:C/I:C/A:C

Exploitability : 8.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://bugzilla.suse.com/show_bug.cgi?id=1049129
https://download.novell.com/Download?buildid=K7lbPAGJyIk~

Configurations

Configuration 1 (hide)

cpe:2.3:a:netiq:identity_manager:*:*:*:*:*:*:*:*

History

07 Nov 2023, 02:50

Type	Values Removed	Values Added
References	~~(CONFIRM) https://bugzilla.suse.com/show_bug.cgi?id=1049129 - Issue Tracking, Permissions Required, Third Party Advisory~~	() https://bugzilla.suse.com/show_bug.cgi?id=1049129 -
References	~~(CONFIRM) https://download.novell.com/Download?buildid=K7lbPAGJyIk~ - Vendor Advisory~~	() https://download.novell.com/Download?buildid=K7lbPAGJyIk~ -

Information

Published : 2018-03-02 20:29

Updated : 2023-12-10 12:30

NVD link : CVE-2017-9279

Mitre link : CVE-2017-9279

CVE.ORG link : CVE-2017-9279

JSON object : View

Products Affected

netiq

identity_manager

CWE

CWE-20

Improper Input Validation

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2017-9279", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 9.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "authentication": "SINGLE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": true, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}, {"type": "Secondary", "source": "security@opentext.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 2.0, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 0.6}]}, "published": "2018-03-02T20:29:00.910", "references": [{"url": "https://bugzilla.suse.com/show_bug.cgi?id=1049129", "source": "security@opentext.com"}, {"url": "https://download.novell.com/Download?buildid=K7lbPAGJyIk~", "source": "security@opentext.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}, {"type": "Secondary", "source": "security@opentext.com", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "NetIQ Identity Manager before 4.5.6.1 allowed uploading files with double extensions or non-image content in the Themes handling of the User Application Administration, allowing malicious user administrators to potentially execute code or mislead users."}, {"lang": "es", "value": "NetIQ Identity Manager, en versiones anteriores a la 4.5.6.1, permit\u00eda la subida de archivos con doble extensi\u00f3n o contenido sin im\u00e1genes en la manipulaci\u00f3n de temas de User Application Administration. Esto permit\u00eda que usuarios administradores maliciosos ejecutasen c\u00f3digo o confundiesen a los usuarios."}], "lastModified": "2023-11-07T02:50:41.507", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:netiq:identity_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B66D9825-C8A9-45E2-B932-BA2444FCA62E", "versionEndExcluding": "4.5.6.1"}], "operator": "OR"}]}], "sourceIdentifier": "security@opentext.com"}